Static Scan Results
scanned 8d ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgbin/tandem-tui.jsView file
3const path = require("path");
L4: const https = require("https");
L5: const { spawnSync } = require("child_process");
L6:
L7: const binaryName = process.platform === "win32" ? "tandem-tui.exe" : "tandem-tui";
L8: const binaryPath = path.join(__dirname, "native", binaryName);
L9:
L10: const packageInfo = require("../package.json");
L11: const UPDATE_CHECK_TIMEOUT_MS = 1200;
...
L53: try {
L54: const parsed = JSON.parse(body);
L55: resolve(typeof parsed.version === "string" ? parsed.version : null);
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/tandem-tui.jsView on unpkg · L3Findings
2 High4 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitybin/tandem-tui.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings