Static Scan Results
scanned 6d ago · by rust-scannerStatic analysis completed at 65.0% confidence. No malicious behavior was detected; 13 low-signal pattern(s) were surfaced and cleared.
Static reason
No blocking static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcedist/lib/claude.jsView file
6import { basename, join } from 'path';
L7: import { execSync, spawnSync } from 'child_process';
L8: import { homedir } from 'os';
High
dist/lib/gh-remote.jsView file
19// 1. gh present?
L20: const which = spawn('command', ['-v', 'gh'], { encoding: 'utf-8', stdio: 'pipe', shell: true });
L21: if (which.status !== 0) {
High
dist/index.jsView file
42const __dirname = dirname(fileURLToPath(import.meta.url));
L43: const require = createRequire(import.meta.url);
L44: const pkg = require(join(__dirname, '../package.json'));
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L42dist/commands/pr-sync.jsView file
53const apiUrl = options.apiUrl || getConfigValue('observability-api-url') || DEFAULT_API_URL;
L54: const apiToken = options.apiToken || getConfigValue('observability-api-token') || process.env.OBSERVABILITY_API_TOKEN;
L55: if (!apiToken) {
...
L59: }
L60: if (apiUrl && !apiUrl.startsWith('http://') && !apiUrl.startsWith('https://')) {
L61: if (!quiet)
...
L65: // Detect repo from gh CLI
L66: const repoResult = spawnSync('gh', ['repo', 'view', '--json', 'nameWithOwner', '--jq', '.nameWithOwner'], {
L67: encoding: 'utf-8', stdio: 'pipe',
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/commands/pr-sync.jsView on unpkg · L53Findings
3 High4 Medium6 Low
HighChild Processdist/lib/claude.js
HighShelldist/lib/gh-remote.js
HighSame File Env Network Executiondist/commands/pr-sync.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License