Static Scan Results
scanned 3d ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node drivers/js/cli-postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgdrivers/js/cli-postinstall.jsView file
25import { existsSync, mkdirSync, writeFileSync, chmodSync } from 'node:fs'
L26: import { execSync } from 'node:child_process'
L27:
...
L32: const require = createRequire(import.meta.url)
L33: // CLI manifest lives at the repo root (../../package.json), and that is the
L34: // `@reddb-io/cli` package — not the SDK manifest next to this file.
...
L38:
L39: if (process.env.REDDB_SKIP_POSTINSTALL === '1') {
L40: process.stdout.write('reddb-cli: postinstall skipped (REDDB_SKIP_POSTINSTALL=1)\n')
L41: process.exit(0)
...
L72: return (
L73: `reddb-cli: no prebuilt red binary for ${process.platform}/${process.arch}.\n` +
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
drivers/js/cli-postinstall.jsView on unpkg · L25Findings
2 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydrivers/js/cli-postinstall.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings