Static Scan Results
scanned 3d ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/runner-5lTuEoEo.mjsView file
22* plugins can't be tricked into reaching cloud-metadata endpoints or
L23: * literal private IPs even without an explicit allowlist.
L24: */
...
L163: */
L164: async function sandboxHttpFetch(url, init, options) {
L165: const { capabilities, allowedHosts } = options;
...
L189: headers,
L190: text: await response.text()
L191: };
...
L330: parentId: columnNullableString(row.parent_id),
L331: data: columnJsonObject(row.data),
L332: locale: columnString(row.locale),
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/runner-5lTuEoEo.mjsView on unpkg · L22dist/db/playground-middleware.mjsView file
713package = @kafe.studio/cloudflare; repositoryIdentity = kafecms; dependency = kafecms
L713: const { loadSeed } = await import("kafecms/seed");
L714: const { applySeed } = await import("kafecms");
L715: const seedResult = await applySeed(db, await loadSeed(), {
High
Copied Package Dependency Bridge
Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
dist/db/playground-middleware.mjsView on unpkg · L713Findings
2 High3 Medium4 Low
HighCloud Metadata Accessdist/runner-5lTuEoEo.mjs
HighCopied Package Dependency Bridgedist/db/playground-middleware.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings