Static Scan Results
scanned 6d ago · by rust-scannerStatic analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsObfuscatedUrlStrings
Source & flagged code
2 flagged · loading sourcedist/src/commands/gemma/setup.jsView file
8import path from 'node:path';
L9: import { execFileSync, spawn as nodeSpawn } from 'node:child_process';
L10: import chalk from 'chalk';
...
L22: input: process.stdin,
L23: output: process.stdout,
L24: });
...
L46: const pctStr = (pct * 100).toFixed(0).padStart(3);
L47: process.stderr.write(`\r [${bar}] ${pctStr}% ${formatBytes(downloaded)} / ${formatBytes(total)}`);
L48: }
...
L57: }
L58: const response = await fetch(url, { redirect: 'follow' });
L59: if (!response.ok) {
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/src/commands/gemma/setup.jsView on unpkg · L8dist/index.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @quantum-ai/gemini-cli@0.45.7
matchedIdentity = npm:QHF1YW50dW0tYWkvZ2VtaW5pLWNsaQ:0.45.7
similarity = 0.992
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkgFindings
2 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/src/commands/gemma/setup.js
HighPrevious Version Dangerous Deltadist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings