registry  /  @shadegpu/cli  /  2.3.12

@shadegpu/cli@2.3.12

Encrypted GPU inference on untrusted infrastructure

Static Scan Results

scanned 11d ago · by rust-scanner

Static analysis flagged 5 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
Manifest
NoLicense
scanned 1 file(s), 1.84 KB of source, external domains: releases.shadegpu.com

Source & flagged code

1 flagged · loading source
bin/shade.jsView file
3L4: const { execFileSync } = require("node:child_process"); L5: const { ... L12: L13: const BASE_URL = "https://releases.shadegpu.com/v1/releases"; L14: const BIN_DIR = __dirname; L15: ... L25: } L26: writeFileSync(dest, Buffer.from(await res.arrayBuffer())); L27: chmodSync(dest, 0o755); ... L31: const nativeBin = join(BIN_DIR, "shade-native"); L32: const key = `${process.platform}-${process.arch}`;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/shade.jsView on unpkg · L3

Findings

1 High1 Medium3 Low
HighSandbox Evasion Gated Capabilitybin/shade.js
MediumNetwork
LowFilesystem
LowUrl Strings
LowNo License