Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsTelemetryUrlStrings
Source & flagged code
2 flagged · loading sourcedist/daemon/autostart.jsView file
9import path from 'path';
L10: import { execFileSync } from 'child_process';
L11: import { buildSpawnArgs, buildChildEnv } from './process.js';
...
L13: const LAUNCHD_LABEL = 'dev.munchfile.daemon';
L14: const LAUNCHD_PLIST_PATH = path.join(os.homedir(), 'Library', 'LaunchAgents', 'dev.munchfile.daemon.plist');
L15: const SYSTEMD_UNIT_NAME = 'munchfile.service';
L16: const SYSTEMD_UNIT_DIR = path.join(process.env.XDG_CONFIG_HOME ?? path.join(os.homedir(), '.config'), 'systemd', 'user');
L17: const SYSTEMD_UNIT_PATH = path.join(SYSTEMD_UNIT_DIR, SYSTEMD_UNIT_NAME);
L18: const LAUNCHCTL = '/bin/launchctl';
L19: const SYSTEMCTL = '/usr/bin/systemctl';
...
L23: export function detectPlatform() {
L24: if (process.platform === 'darwin')
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/daemon/autostart.jsView on unpkg · L9dist/daemon/watch-core.jsView file
26package = @munchfile/cli; repositoryIdentity = munchfile; dependency = @munchfile/watch-core-native
L26: try {
L27: const native = await import('@munchfile/watch-core-native');
L28: nativeCtor = native.WatchCore;
High
Copied Package Dependency Bridge
Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.
dist/daemon/watch-core.jsView on unpkg · L26Findings
1 High4 Medium6 Low
HighCopied Package Dependency Bridgedist/daemon/watch-core.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/daemon/autostart.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings