Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/util/install-cli.jsView file
10*/
L11: import { exec, execSync } from "node:child_process";
L12: import { promisify } from "node:util";
High
Child Process
Package source references child process execution.
dist/util/install-cli.jsView on unpkg · L1012import { promisify } from "node:util";
L13: const execAsync = promisify(exec);
L14: export const CLI_PACKAGE = "@polpo-ai/cli";
High
dist/util/self-update.jsView file
50const cmd = pm === "pnpm"
L51: ? `pnpm add -g ${PACKAGE_NAME}@${version}`
L52: : `npm install -g ${PACKAGE_NAME}@${version}`;
...
L54: try {
L55: execSync("npm cache clean --force", { stdio: "ignore", timeout: 30_000 });
L56: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/util/self-update.jsView on unpkg · L50Findings
3 High3 Medium4 Low
HighChild Processdist/util/install-cli.js
HighShelldist/util/install-cli.js
HighRuntime Package Installdist/util/self-update.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings