Static Scan Results
scanned 7h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
33} from "@modelcontextprotocol/sdk/types.js";
L34: import { execSync } from "child_process";
L35: import { z } from "zod";
High
78mode: DeliveryModeSchema.describe(
L79: "'self_hosted' = the API pushes the moment work lands (requires `npx -y @paigy/mcp paigy-listen` running); 'poll' = the default, you catch up via check_replies/await_reply."
L80: )
...
L84: try {
L85: return execSync(cmd, { stdio: ["ignore", "pipe", "ignore"], encoding: "utf8" }).trim();
L86: } catch {
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L78dist/listen.jsView file
19if (cmd && (work.replies.length > 0 || work.requests.length > 0 || work.owedCallbacks.length > 0)) {
L20: spawn(cmd, { shell: true, stdio: "inherit" });
L21: }
High
Findings
3 High3 Medium4 Low
HighChild Processdist/index.js
HighShelldist/listen.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings