Static Scan Results
scanned 4d ago · by rust-scannerStatic analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcelib/M7000_License.jsView file
9L10: const execSync = require('node:child_process').execSync;
L11:
High
Child Process
Package source references child process execution.
lib/M7000_License.jsView on unpkg · L9lib/M5000_Code.jsView file
92words = lines.join('\n');
L93: const resultFunc = new Function(`return ${words};`);
L94:
Low
Eval
Package source references a known benign dynamic code generation pattern.
lib/M5000_Code.jsView on unpkg · L92lib/M0000_PackageJson.jsView file
1797/**
L1798: * Creates a package-lock.json in a temp directory by running npm install --package-lock-only.
L1799: * Returns the content of the generated package-lock.json, or throws if creation fails.
...
L1804: async function createPackageLockJson(context) {
L1805: const { exec } = require('node:child_process');
L1806: const os = require('node:os');
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
lib/M0000_PackageJson.jsView on unpkg · L1797Findings
3 High3 Medium7 Low
HighChild Processlib/M7000_License.js
HighShell
HighRuntime Package Installlib/M0000_PackageJson.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvallib/M5000_Code.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License