Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
2 flagged · loading sourcedist/_chunks/libs/simple-git.mjsView file
4import { Buffer as Buffer$1 } from "node:buffer";
L5: import { spawn } from "child_process";
L6: import { normalize } from "node:path";
High
Child Process
Package source references child process execution.
dist/_chunks/libs/simple-git.mjsView on unpkg · L4dist/cli.mjsView file
17Cross-file remote execution chain: dist/cli.mjs spawns dist/_chunks/libs/simple-git.mjs; helper contains network access plus dynamic code execution.
L17: import { promisify } from "util";
L18: import { execFile, execSync, spawn, spawnSync } from "child_process";
L19: import { access, cp, lstat, mkdir, mkdtemp, readFile, readdir, readlink, realpath, rm, stat, symlink, writeFile } from "fs/promises";
...
L22: import { createHash as createHash$1 } from "node:crypto";
L23: import { gunzipSync, inflateRawSync } from "node:zlib";
L24: var import_picocolors = /* @__PURE__ */ __toESM(require_picocolors(), 1);
...
L41: }
L42: if (!parsed.url.startsWith("http://") && !parsed.url.startsWith("https://")) return null;
L43: try {
...
L61: if (!res.ok) return "unknown";
L62: return (await res.json()).private === true ? "private" : "public";
L63: } catch {
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/cli.mjsView on unpkg · L17Findings
3 High3 Medium5 Low
HighChild Processdist/_chunks/libs/simple-git.mjs
HighShell
HighCross File Remote Execution Contextdist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings