Static Scan Results
scanned 59m ago · by rust-scannerStatic analysis flagged 50 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Decision evidence
public snapshotSource & flagged code
41 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L19AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js
bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L19AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js
bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L30GitHub personal access token in bundled/services/backend/tests/repoDisciplineRisk.test.js
bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L31RSA private key in bundled/services/backend/tests/repoDisciplineRisk.test.js
bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L32AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js
bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L54AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js
bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L61AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js
bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L63AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js
bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L69AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js
bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L75AWS access key ID in bundled/services/backend/tests/repoDisciplineRisk.test.js
bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L128Hardcoded password in bundled/services/backend/tests/repoDisciplineRisk.test.js
bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L41Hardcoded password in bundled/services/backend/tests/repoDisciplineRisk.test.js
bundled/services/backend/tests/repoDisciplineRisk.test.jsView on unpkg · L70Package source references dynamic require/import behavior.
bin/khy.jsView on unpkg · L18Package source references shell execution.
bundled/scripts/bench/win_cost_compact.jsView on unpkg · L14Package source references a known benign dynamic code generation pattern.
bundled/software/khyquant/frontend/dist/assets/IntelligentStrategySelector-DPLaZEuV.jsView on unpkg · L1Package source executes code through a VM context API.
bundled/software/khyquant/services/backtestEngine.jsView on unpkg · L1Package source references weak cryptographic algorithms.
bundled/platform/packages/shared/src/services/gateway/example_plugins/cache-plugin.jsView on unpkg · L1Source writes installer persistence such as shell profile or service configuration.
bundled/services/backend/tests/services/additionalDirectories.test.jsView on unpkg · L28A single source file combines environment access, network access, and code or shell execution; review context before blocking.
bundled/services/backend/bin/khy.jsView on unpkg · L740Source matches reverse-shell style process and socket wiring.
bundled/services/ai-backend/src/services/securityGuardService.jsView on unpkg · L15Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
bundled/scripts/diagnostics/fuzzInputCorpus.jsView on unpkg · L65Package ships WebAssembly modules.
bundled/software/khyquant/frontend/dist/wasm/khy-math-demo.wasmView on unpkgPackage ships non-JavaScript build or shell helper files.
bundled/tools/khyos-markdown/unregister-linux.shView on unpkgPackage ships compressed or archive-like blobs.
bundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsixView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
bundled/extensions/khy-trae-bridge/khy-trae-bridge-0.2.1.vsixView on unpkgPackage ships high-entropy non-source blobs.
bundled/docs/07_OPS_运维/[OPS-MAN-043] 从0到高手-新手成长路线与pip安装后清单.pdfView on unpkgPackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
bundled/services/ai-backend/test/fixtures/coze/sample-linear.zipView on unpkgPackage contains source files above the static scanner size ceiling.
bundled/tools/khyos-markdown/vendor/khyos-muya.jsView on unpkgHardcoded password in bundled/software/khyquant/frontend/dist/assets/Debug--vriC6bB.js
bundled/software/khyquant/frontend/dist/assets/Debug--vriC6bB.jsView on unpkg · L1Hardcoded password in bundled/apps/ai-frontend/dist/assets/Login-BD-XGBty.js
bundled/apps/ai-frontend/dist/assets/Login-BD-XGBty.jsView on unpkg · L1RSA private key in bundled/services/backend/tests/tools/securityScan.test.js
bundled/services/backend/tests/tools/securityScan.test.jsView on unpkg · L36Hardcoded password in bundled/services/backend/tests/auth.sessionSecurityRoutes.test.js
bundled/services/backend/tests/auth.sessionSecurityRoutes.test.jsView on unpkg · L85RSA private key in bundled/services/backend/tests/proxyServer.https.test.js
bundled/services/backend/tests/proxyServer.https.test.jsView on unpkg · L10Hardcoded password in bundled/services/backend/src/constants/commandSchema.js
bundled/services/backend/src/constants/commandSchema.jsView on unpkg · L234Hardcoded password in bundled/services/backend/src/routes/admin.js
bundled/services/backend/src/routes/admin.jsView on unpkg · L141Hardcoded password in bundled/services/backend/src/services/cliAuthService.js
bundled/services/backend/src/services/cliAuthService.jsView on unpkg · L282Hardcoded password in bundled/services/ai-backend/test/workflow.routes.test.js
bundled/services/ai-backend/test/workflow.routes.test.jsView on unpkg · L39