Static Scan Results
scanned 4d ago · by rust-scannerStatic analysis flagged 4 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessFilesystem
UrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcebin/code_graph-mcp.jsView file
6L7: const { spawnSync } = require("child_process");
L8: const path = require("path");
...
L35: try {
L36: pkgRoot = path.dirname(require.resolve(`${pkg}/package.json`));
L37: } catch (err) {
...
L39: `error: @rensoai/code-graph: platform sub-package ${pkg} not installed. ` +
L40: `Install from https://cg.renso.ai/docs#install, or ensure optionalDependencies ` +
L41: `are not blocked if you are maintaining the npm package.`
...
L44: }
L45: const ext = process.platform === "win32" ? ".exe" : "";
L46: const candidate = path.join(pkgRoot, "bin", `code_graph-mcp${ext}`);
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/code_graph-mcp.jsView on unpkg · L6Findings
1 High3 Low
HighSandbox Evasion Gated Capabilitybin/code_graph-mcp.js
LowFilesystem
LowUrl Strings
LowNo License