Static Scan Results
scanned 9d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node src/ensure-node-pty-ready.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgsrc/main.jsView file
2import { LucenaAgent } from './agent.js';
L3: import { spawn } from 'child_process';
L4: import { registerProTunnel, validateStoredProToken } from './pro-token.js';
...
L40: function desktopPlatformLabel() {
L41: if (process.platform === 'darwin') return 'macOS';
L42: if (process.platform === 'win32') return 'Windows';
...
L51: : 'linux';
L52: return `https://lucenacoder.com/download/${platform}`;
L53: }
...
L74: export async function main() {
L75: const cwd = process.cwd();
L76: const proStatus = await validateStoredProToken();
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/main.jsView on unpkg · L2grammars/tree-sitter-go.wasmView file
•path = grammars/tree-sitter-go.wasm
kind = wasm_module
sizeBytes = 218901
magicHex = [redacted]
Medium
Findings
2 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitysrc/main.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulegrammars/tree-sitter-go.wasm
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings