Static Scan Results
scanned 2d ago · by rust-scannerStatic analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
HighEntropyStringsUrlStrings
NoLicense
Oversized source lightweight scan
apps/cli/extension/extension.js32.8 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStringsdev.todotenvx.comfeross.orggithub.comjimmy.warting.sesheetjs.comwww.eliostruyf.com
apps/cli/extension/workers/countTokens.js2.28 MB file, sampled 256 KB
FilesystemChildProcessEvalShellHighEntropyStrings
Source & flagged code
5 flagged · loading sourceapps/cli/dist/index.cjsView file
18703// src/commands/cli/upgrade.ts
L18704: var import_child_process = require("child_process");
L18705: var RELEASES_URL = "https://api.github.com/repos/RooCodeInc/Roo-Code/releases?per_page=100";
High
Child Process
Package source references child process execution.
apps/cli/dist/index.cjsView on unpkg · L18703160]).optional(),
L161: codebaseIndexEmbedderBaseUrl: import_zod2.z.string().optional(),
L162: codebaseIndexEmbedderModelId: import_zod2.z.string().optional(),
...
L11436: if (import_fs.default.existsSync(candidate)) {
L11437: const packageJson = JSON.parse(import_fs.default.readFileSync(candidate, "utf-8"));
L11438: return packageJson.version;
...
L18703: // src/commands/cli/upgrade.ts
L18704: var import_child_process = require("child_process");
L18705: var RELEASES_URL = "https://api.github.com/repos/RooCodeInc/Roo-Code/releases?per_page=100";
High
Remote Agent Bridge
Source exposes local file and command tools to a remote model endpoint.
apps/cli/dist/index.cjsView on unpkg · L160apps/cli/extension/wasm_exec_node.jsView file
12globalThis.require = require;
L13: globalThis.fs = require("fs");
L14: globalThis.TextEncoder = require("util").TextEncoder;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
apps/cli/extension/wasm_exec_node.jsView on unpkg · L12apps/cli/extension/tree-sitter-elm.wasmView file
•path = apps/cli/extension/tree-sitter-elm.wasm
kind = wasm_module
sizeBytes = 148886
magicHex = [redacted]
Medium
Ships Wasm Module
Package ships WebAssembly modules.
apps/cli/extension/tree-sitter-elm.wasmView on unpkgapps/cli/extension/workers/countTokens.jsView file
•path = [redacted].js
kind = oversized_source_file
sizeBytes = 2395419
magicHex = [redacted]
High
Oversized Source File
Package contains source files above the static scanner size ceiling.
apps/cli/extension/workers/countTokens.jsView on unpkgFindings
4 High4 Medium6 Low
HighChild Processapps/cli/dist/index.cjs
HighShell
HighRemote Agent Bridgeapps/cli/dist/index.cjs
HighOversized Source Fileapps/cli/extension/workers/countTokens.js
MediumDynamic Requireapps/cli/extension/wasm_exec_node.js
MediumEnvironment Vars
MediumShips Wasm Moduleapps/cli/extension/tree-sitter-elm.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License