Static Scan Results
scanned 1h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStringsMinifiedObfuscatedUrlStrings
Source & flagged code
2 flagged · loading sourcedist/cli.jsView file
67import { createHash } from "node:crypto";
L68: import { spawnSync } from "node:child_process";
L69: import { cpSync, existsSync as existsSync3, mkdirSync, mkdtempSync, readdirSync as readdirSync3, readFileSync as readFileSync2, statSync } from "node:fs";
High
61Cross-file remote execution chain: dist/cli.js spawns assets/portfolio-dashboard/app.js; helper contains network access plus dynamic code execution.
L61: const bundlePath = join2(bundlesDir, entry.name);
L62: return JSON.parse(readFileSync(bundlePath, "utf8"));
L63: }).sort((a, b) => a.id.localeCompare(b.id));
...
L67: import { createHash } from "node:crypto";
L68: import { spawnSync } from "node:child_process";
L69: import { cpSync, existsSync as existsSync3, mkdirSync, mkdtempSync, readdirSync as readdirSync3, readFileSync as readFileSync2, statSync } from "node:fs";
...
L90: if (result.status !== 0) {
L91: throw new Error(`npx skills ${options.operation} failed with exit code ${result.status}`);
L92: }
...
L235: "public",
L236: "private",
L237: "third-party"
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/cli.jsView on unpkg · L61Findings
3 High2 Medium5 Low
HighChild Processdist/cli.js
HighShell
HighCross File Remote Execution Contextdist/cli.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings