Static Scan Results
scanned 7d ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsObfuscatedUrlStrings
Source & flagged code
1 flagged · loading sourcedist/src/commands/gemma/setup.jsView file
8import path from 'node:path';
L9: import { execFileSync, spawn as nodeSpawn } from 'node:child_process';
L10: import chalk from 'chalk';
...
L22: input: process.stdin,
L23: output: process.stdout,
L24: });
...
L46: const pctStr = (pct * 100).toFixed(0).padStart(3);
L47: process.stderr.write(`\r [${bar}] ${pctStr}% ${formatBytes(downloaded)} / ${formatBytes(total)}`);
L48: }
...
L57: }
L58: const response = await fetch(url, { redirect: 'follow' });
L59: if (!response.ok) {
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/src/commands/gemma/setup.jsView on unpkg · L8Findings
1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/src/commands/gemma/setup.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings