Static Scan Results
scanned 5d ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcelib/ports.mjsView file
10// we TERM (then KILL) the listener instead of skipping, exactly like dev.sh.
L11: import { execFileSync } from 'node:child_process';
L12: import net from 'node:net';
High
lib/publish.test.mjsView file
8import assert from 'node:assert/strict';
L9: import http from 'node:http';
L10: import { createHash } from 'node:crypto';
...
L16:
L17: process.env.LOOOP_HOME = mkdtempSync(join(tmpdir(), 'looop-pub-home-'));
L18:
...
L29: body,
L30: }).formData();
L31: const parts = {};
L32: for (const [name, value] of parsed.entries()) {
L33: parts[name] = typeof value === 'string' ? value : Buffer.from(await value.arrayBuffer()).toString('utf8');
L34: }
High
Credential Exfiltration
Source combines credential-like environment material and outbound requests; review data flow before blocking.
lib/publish.test.mjsView on unpkg · L8lib/create.mjsView file
161if (install) {
L162: log(`Installing the engine (npm install in ${name}/)…`);
L163: execFileSync('npm', ['install', '--no-audit', '--no-fund'], { cwd: dir, stdio: 'pipe' });
L164: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
lib/create.mjsView on unpkg · L161Findings
4 High3 Medium5 Low
HighChild Processlib/ports.mjs
HighShell
HighCredential Exfiltrationlib/publish.test.mjs
HighRuntime Package Installlib/create.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License