Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/browser-session.jsView file
1import { spawn } from 'node:child_process';
L2: import { randomUUID } from 'node:crypto';
High
Child Process
Package source references child process execution.
dist/browser-session.jsView on unpkg · L1dist/sidecar/install.jsView file
2* Playwright lifecycle: import, launch, and one-shot auto-install of the
L3: * per-browser binary. Keeps the dispatch layer free of node:child_process
L4: * + Playwright-import noise.
...
L61: const onChunk = (chunk) => {
L62: const text = chunk.toString('utf8');
L63: for (const line of text.split(/\r?\n/))
...
L67: };
L68: child.stdout.on('data', onChunk);
L69: child.stderr.on('data', onChunk);
...
L101: throw err;
L102: process.stderr.write(`moxxy-browser: ${which} binary missing, running \`npx playwright install ${which}\` ` +
L103: `(one-time, ~150MB). This may take a minute…\n`);
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/sidecar/install.jsView on unpkg · L2221return new Promise((resolve, reject) => {
L222: const child = spawn('npx', ['playwright', 'install', which], {
L223: stdio: ['ignore', 'pipe', 'pipe'],
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/sidecar/install.jsView on unpkg · L221Findings
4 High3 Medium3 Low
HighChild Processdist/browser-session.js
HighShell
HighCloud Metadata Accessdist/sidecar/install.js
HighRuntime Package Installdist/sidecar/install.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings