Static Scan Results
scanned 12d ago · by rust-scannerStatic analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
UrlStrings
Source & flagged code
1 flagged · loading sourcedist/index.jsView file
3import { join } from "node:path";
L4: import { spawnSync } from "node:child_process";
L5: import { ensureAppID, publish, generate, fiberCachePath, writeFiberCache } from "./typegen.js";
...
L17: try {
L18: pkg = JSON.parse(await readFile(join(projectRoot, "package.json"), "utf8"));
L19: } catch {
...
L23: console.log("building…");
L24: const npm = process.platform === "win32" ? "npm.cmd" : "npm";
L25: const res = spawnSync(npm, ["run", "build"], { cwd: projectRoot, stdio: "inherit" });
...
L40: function env(...names) {
L41: for (const n of names) if (process.env[n]) return process.env[n];
L42: return "";
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/index.jsView on unpkg · L3Findings
1 High2 Medium4 Low
HighSandbox Evasion Gated Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings