Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsTelemetryUrlStrings
Source & flagged code
4 flagged · loading sourcescripts/openprd-codex-isolated-worker.mjsView file
3import crypto from 'node:crypto';
L4: import { spawn, spawnSync } from 'node:child_process';
L5: import fs from 'node:fs/promises';
High
Child Process
Package source references child process execution.
scripts/openprd-codex-isolated-worker.mjsView on unpkg · L3src/self-update.jsView file
219const command = process.platform === 'win32' ? 'where openprd' : 'command -v openprd';
L220: const result = await runProcess(command, [], { shell: true });
L221: const executable = result.stdout.split(/\r?\n/).map((line) => line.trim()).find(Boolean) ?? null;
High
src/learning-review.jsView file
376...ws,
L377: data: {
L378: ...ws.data,
...
L1325: ' assets/',
L1326: ' learning-package.json',
L1327: ' learning-content.json',
Low
Weak Crypto
Package source references weak cryptographic algorithms.
src/learning-review.jsView on unpkg · L376src/canvas-workspace.jsView file
25Cross-file remote execution chain: src/canvas-workspace.js spawns src/canvas-app.html.js; helper contains network access plus dynamic code execution.
L25: import { createReadStream } from 'node:fs';
L26: import http from 'node:http';
L27: import os from 'node:os';
L28: import path from 'node:path';
L29: import { spawn } from 'node:child_process';
L30: import { fileURLToPath } from 'node:url';
...
L87: });
L88: res.end(JSON.stringify(payload, null, 2));
L89: }
...
L111: }
L112: const text = Buffer.concat(chunks).toString('utf8');
L113: if (!text.trim()) {
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
src/canvas-workspace.jsView on unpkg · L25Findings
3 High2 Medium6 Low
HighChild Processscripts/openprd-codex-isolated-worker.mjs
HighShellsrc/self-update.js
HighCross File Remote Execution Contextsrc/canvas-workspace.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptosrc/learning-review.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings