Static Scan Results
scanned 5d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
4import { createConnection } from "net";
L5: import { execFileSync, spawn, spawnSync } from "child_process";
L6: import { randomUUID } from "crypto";
High
3118detail: `${host}:${port} unreachable (${health.error ?? "unknown"})`,
L3119: hint: "Run `cctabs install-tabby-plugin` from inside a Tabby tab — it npm-installs the plugin and reopens Tabby. Or do it by hand: `npm install --legacy-peer-deps --prefix \"$HOME/...
L3120: };
...
L3132: function checkSpawnedShellPath() {
L3133: const r = spawnSync("zsh", [
L3134: "-l",
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L31183import { cli, define } from "gunshi";
L4: import { createConnection } from "net";
L5: import { execFileSync, spawn, spawnSync } from "child_process";
L6: import { randomUUID } from "crypto";
...
L11: import * as p from "@clack/prompts";
L12: //#region package.json
L13: var name = "@generativereality/cctabs";
...
L34: "check": "npm run typecheck && npm run test && npm run build",
L35: "release": "bumpp && npm publish",
L36: "sync-plugin": "bash scripts/sync-plugin.sh",
...
L78: function detectTerminal() {
L79: const prog = process.env.TERM_PROGRAM ?? "";
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/index.jsView on unpkg · L3Findings
3 High4 Medium4 Low
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings