Static Scan Results
scanned 5h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcebin/kolbo-mcp.jsView file
5if (process.argv[2] === 'install') {
L6: require('../src/install.js')
L7: .run()
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/kolbo-mcp.jsView on unpkg · L5src/tools/_shared.jsView file
10* 1. Only http: / https: protocols.
L11: * 2. Block IP literals in private / loopback / link-local / multicast /
L12: * reserved ranges (IPv4 and IPv6).
...
L24: const path = require('path');
L25: const net = require('net');
L26:
...
L171: }
L172: const arrayBuf = await res.arrayBuffer();
L173: const buffer = Buffer.from(arrayBuf);
...
L282: if (ab.byteLength > INLINE_IMG_MAX_BYTES) return null;
L283: return { type: 'image', data: Buffer.from(ab).toString('base64'), mimeType: contentType };
L284: } catch (_) {
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
src/tools/_shared.jsView on unpkg · L10Findings
1 High4 Medium5 Low
HighCloud Metadata Accesssrc/tools/_shared.js
MediumDynamic Requirebin/kolbo-mcp.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings