Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/tools/tsLangService.jsView file
41exports._resetTsServiceCache = _resetTsServiceCache;
L42: const path = __importStar(require("path"));
L43: const fs = __importStar(require("fs"));
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/tools/tsLangService.jsView on unpkg · L41dist/checkpoint/manager.jsView file
42const crypto = __importStar(require("crypto"));
L43: const child_process_1 = require("child_process");
L44: // ─── Checkpoint / Rewind ────────────────────────────────────────────────────
...
L133: // polluting the real ~/.nexrall/checkpoints).
L134: const base = process.env.NEXRALL_CHECKPOINT_DIR || path.join(os.homedir(), '.nexrall', 'checkpoints');
L135: this.storeDir = path.join(base, key);
...
L221: return null;
L222: const hash = (r.stdout ?? '').trim();
L223: // Empty output = clean tree (nothing to snapshot). A dangling commit is
...
L332: existed: s.existed,
L333: content: s.content ? s.content.toString('base64') : null,
L334: })),
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/checkpoint/manager.jsView on unpkg · L42dist/tools/executor.jsView file
39const os = __importStar(require("os"));
L40: const https = __importStar(require("https"));
L41: const http = __importStar(require("http"));
L42: const dns = __importStar(require("dns"));
L43: const child_process_1 = require("child_process");
L44: const sandbox_1 = require("./sandbox");
...
L59: // cause or a failing assertion lives. To make the full log recoverable WITHOUT
L60: // bloating the model context, we stream the complete stdout+stderr to a temp file
L61: // (bounded by MAX_SPILL_BYTES) and tell the model it can `read_file` that path with
...
L165: function resolvePath(inputPath, workDir) {
L166: const base = workDir ?? process.cwd();
L167: const resolved = path.isAbsolute(inputPath)
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/tools/executor.jsView on unpkg · L39Findings
1 High4 Medium6 Low
HighCloud Metadata Accessdist/tools/executor.js
MediumDynamic Requiredist/tools/tsLangService.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/checkpoint/manager.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings