Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
3 flagged · loading sourcedist/drift/depsDrift.jsView file
76"buffer",
L77: "child_process",
L78: "cluster",
High
Child Process
Package source references child process execution.
dist/drift/depsDrift.jsView on unpkg · L76dist/mcp/server.jsView file
63async function llmComplete(system, userMessage) {
L64: const { OpenAILLMProvider } = await import("@intentweave/plugin-llm");
L65: const apiKey = process.env.OPENAI_API_KEY;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/mcp/server.jsView on unpkg · L63dist/commands/plugin.jsView file
59try {
L60: execSync(`npm install -g ${pkg}`, { stdio: "inherit" });
L61: console.log(chalk.green(`✓ ${pkg} installed.`));
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/commands/plugin.jsView on unpkg · L59Findings
3 High3 Medium3 Low
HighChild Processdist/drift/depsDrift.js
HighShell
HighRuntime Package Installdist/commands/plugin.js
MediumDynamic Requiredist/mcp/server.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings