Static Scan Results
scanned 15d ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/store/keys.jsView file
34try {
L35: const imported = (await import(keychainModuleName));
L36: cachedKeytar = imported.default ?? imported;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/store/keys.jsView on unpkg · L34dist/tools/web/ssrf-guard.jsView file
2* SSRF guard — classifies an address (or a hostname literal) as belonging
L3: * to a private/loopback/link-local/cloud-metadata/CGNAT range.
L4: *
...
L19: */
L20: import net from "node:net";
L21: /**
...
L23: * `http:` or `https:`. Returns `false` for any other scheme (including
L24: * `ftp:`, `file:`, `data:`, `javascript:`, `gopher:`), for empty strings,
L25: * for malformed inputs that fail `new URL()` parsing, and for non-string
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/tools/web/ssrf-guard.jsView on unpkg · L2Findings
1 High4 Medium5 Low
HighCloud Metadata Accessdist/tools/web/ssrf-guard.js
MediumDynamic Requiredist/store/keys.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings