Static Scan Results
scanned 1h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsObfuscatedUrlStrings
Source & flagged code
2 flagged · loading sourcedist/commands/gemma/setup.jsView file
8import path from 'node:path';
L9: import { execFileSync, spawn as nodeSpawn } from 'node:child_process';
L10: import chalk from 'chalk';
...
L22: input: process.stdin,
L23: output: process.stdout,
L24: });
...
L46: const pctStr = (pct * 100).toFixed(0).padStart(3);
L47: process.stderr.write(`\r [${bar}] ${pctStr}% ${formatBytes(downloaded)} / ${formatBytes(total)}`);
L48: }
...
L57: }
L58: const response = await fetch(url, { redirect: 'follow' });
L59: if (!response.ok) {
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/commands/gemma/setup.jsView on unpkg · L8package.jsonView file
•dependencies registry_only=@github/keytar,@lydell/node-pty,@lydell/node-pty-darwin-arm64,@lydell/node-pty-darwin-x64,@lydell/node-pty-linux-x64,@lydell/node-pty-win32-arm64,@lydell/node-pty-win32-x64,node-pty
Critical
Manifest Confusion
Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.
package.jsonView on unpkgFindings
1 Critical1 High3 Medium5 Low
CriticalManifest Confusionpackage.json
HighSandbox Evasion Gated Capabilitydist/commands/gemma/setup.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings