Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 9 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/providers/google-auth.tsView file
20L21: const OAUTH_TOKEN_URL = "https://oauth2.googleapis.com/token";
L22: const METADATA_TOKEN_URL = "http://metadata.google.[redacted]-accounts/default/token";
L23: const CLOUD_PLATFORM_SCOPE = "https://www.googleapis.com/auth/cloud-platform";
...
L33: client_email: string;
L34: private_key: string;
L35: private_key_id?: string;
...
L60: function userAdcPath(): string {
L61: return path.join(os.homedir(), ".config", "gcloud", "application_default_credentials.json");
L62: }
...
L65: try {
L66: return (await Bun.file(filePath).json()) as T;
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
src/providers/google-auth.tsView on unpkg · L20src/providers/anthropic.tsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @sayknow-cli/ai@0.3.6
matchedIdentity = npm:QHNheWtub3ctY2xpL2Fp:0.3.6
similarity = 0.942
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/providers/anthropic.tsView on unpkgFindings
2 High3 Medium4 Low
HighCloud Metadata Accesssrc/providers/google-auth.ts
HighPrevious Version Dangerous Deltasrc/providers/anthropic.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings