Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/lib/pm.jsView file
1import { spawnSync } from "node:child_process";
L2: import { existsSync } from "node:fs";
High
76return undefined;
L77: return new CLIError(`${pm} ${major} is too old — the starter template needs ${pm} ${min} or newer.`, `Upgrade (e.g. "npm install -g ${pm}@latest" or "corepack use ${pm}@${min}"), `...
L78: `then re-run. Or pick another package manager: "peek init --pm npm".`);
...
L80: function installedMajor(pm) {
L81: const result = spawnSync(pm, ["--version"], { encoding: "utf8" });
L82: if (result.status !== 0 || typeof result.stdout !== "string")
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/lib/pm.jsView on unpkg · L76dist/lib/claude.jsView file
4import { join } from "node:path";
L5: import { execa } from "execa";
L6: // Optional integration: if the developer has the Claude Code CLI installed, we use it to
High
Findings
3 High3 Medium4 Low
HighChild Processdist/lib/pm.js
HighShelldist/lib/claude.js
HighRuntime Package Installdist/lib/pm.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings