Static Scan Results
scanned 2d ago · by rust-scannerStatic analysis flagged 18 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Decision evidence
public snapshotSource & flagged code
10 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgPackage declares a runtime dependency whose name matches a Node built-in module.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage source references child process execution.
open-sse/handlers/ttsProviders/localDevice.jsView on unpkg · L1Package source references shell execution.
open-sse/handlers/ttsProviders/localDevice.jsView on unpkg · L35Package source executes code through a VM context API.
open-sse/executors/duckduckgo-ai.jsView on unpkg · L3Package source references weak cryptographic algorithms.
open-sse/shared/qoder/cosy.jsView on unpkg · L43Source writes installer persistence such as shell profile or service configuration.
src/mitm/manager.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
cli/cli.jsView on unpkg · L738Package source invokes a package manager install command at runtime.
src/lib/updater/updater.jsView on unpkg · L1