Static Scan Results
scanned 1d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcetemplates/marketplace/client/market.tsView file
15patternName = generic_password
severity = medium
line = 15
matchedText = password...23",
Medium
Secret Pattern
Package contains a possible secret pattern.
templates/marketplace/client/market.tsView on unpkg · L1523patternName = generic_password
severity = medium
line = 23
matchedText = password...23",
Medium
Secret Pattern
Hardcoded password in templates/marketplace/client/market.ts
templates/marketplace/client/market.tsView on unpkg · L23bin/create-pylon.jsView file
617console.log(`Installing dependencies with ${flags.pm}...`);
L618: const { spawnSync } = await import("node:child_process");
L619: const result = spawnSync(flags.pm, ["install"], {
High
Child Process
Package source references child process execution.
bin/create-pylon.jsView on unpkg · L617617console.log(`Installing dependencies with ${flags.pm}...`);
L618: const { spawnSync } = await import("node:child_process");
L619: const result = spawnSync(flags.pm, ["install"], {
...
L632: //
L633: // `npx skills add pylonsync/pylon` (skills.sh) detects the installed agent
L634: // (Claude Code / Codex / Cursor) and drops the canonical skill from this
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/create-pylon.jsView on unpkg · L617Findings
2 High5 Medium4 Low
HighChild Processbin/create-pylon.js
HighRuntime Package Installbin/create-pylon.js
MediumSecret Patterntemplates/marketplace/client/market.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterntemplates/marketplace/client/market.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings