Static Scan Results
scanned 10d ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/config/src/paths.tsView file
270L271: async function loadFsPromises(): Promise<typeof import('node:fs/promises')> {
L272: return Function('specifier', 'return import(specifier)')('node:fs/promises');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
src/config/src/paths.tsView on unpkg · L270src/auth/src/oauth.tsView file
1import { spawn } from 'node:child_process';
L2: import { randomBytes, createHash } from 'node:crypto';
...
L5: const CLAUDE_CLI_VERSION = '1.0.61';
L6: const OAUTH_TOKEN_ENDPOINT = 'https://platform.claude.com/v1/oauth/token';
L7: const OAUTH_REDIRECT_URI = 'https://platform.claude.com/oauth/code/callback';
...
L12: function generatePKCE() {
L13: // Generate random verifier (43-128 characters, base64url encoded)
L14: const verifier = randomBytes(32)
...
L31: async function openBrowser(url: string) {
L32: const platform = process.platform;
L33: let command: string;
...
L51: if (code === 0) resolve();
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/auth/src/oauth.tsView on unpkg · L1Findings
1 High4 Medium4 Low
HighSandbox Evasion Gated Capabilitysrc/auth/src/oauth.ts
MediumDynamic Requiresrc/config/src/paths.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings