Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/config/loader.jsView file
1import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'fs';
L2: import { execSync } from 'child_process';
L3: import { createInterface } from 'readline';
High
Child Process
Package source references child process execution.
dist/config/loader.jsView on unpkg · L1dist/reviewers/conflict-resolve.jsView file
3import { join } from 'path';
L4: import { execa } from 'execa';
L5: import { applyEdit } from './fix.js';
High
dist/commands/init.jsView file
173try {
L174: execSync('smee --version', { stdio: 'ignore' });
L175: }
...
L177: console.log(chalk.dim('Tip: install smee-client for reliable webhook delivery (events queued while offline):'));
L178: console.log(chalk.dim(' npm install -g smee-client'));
L179: console.log(chalk.dim(' Then set tunnel: backend: smee in your config.\n'));
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/commands/init.jsView on unpkg · L173Findings
3 High3 Medium5 Low
HighChild Processdist/config/loader.js
HighShelldist/reviewers/conflict-resolve.js
HighRuntime Package Installdist/commands/init.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings