Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcesrc/run.jsView file
9import path from "node:path";
L10: import { spawn } from "node:child_process";
L11:
High
74// target on PATH ourselves: .exe/.com spawn directly; .cmd/.bat go through
L75: // cmd.exe with cross-spawn's escaping (shell:true would join args unescaped).
L76:
High
69//
L70: // `npm install -g @anthropic-ai/claude-code` puts `claude.cmd`/`claude.ps1`
L71: // shims on PATH on Windows — no claude.exe. CreateProcess only auto-appends
L72: // .exe, and Node (post CVE-2024-27980) refuses to spawn .cmd/.bat without a
L73: // shell, so a bare spawn("claude") can never work there. We resolve the real
L74: // target on PATH ourselves: .exe/.com spawn directly; .cmd/.bat go through
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
src/run.jsView on unpkg · L69Findings
3 High3 Medium4 Low
HighChild Processsrc/run.js
HighShellsrc/run.js
HighRuntime Package Installsrc/run.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings