Static Scan Results
scanned 13d ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/init/init-wizard.jsView file
17import { existsSync, mkdirSync, writeFileSync } from 'node:fs';
L18: import { execFileSync } from 'node:child_process';
L19: import { join, basename } from 'node:path';
High
Child Process
Package source references child process execution.
dist/init/init-wizard.jsView on unpkg · L17dist/util/msm-exec-runtime.jsView file
45* npx tsx msm-exec-runtime.ts --log /tmp/x.log --format=json <msm-name> [args...]
L46: * npx tsx msm-exec-runtime.ts --list
L47: * npx tsx msm-exec-runtime.ts --schema <msm-name>
...
L60: import { readFileSync, appendFileSync, existsSync, writeFileSync, mkdirSync } from "node:fs";
L61: import { spawn } from "node:child_process";
L62: import { resolve, dirname } from "node:path";
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/util/msm-exec-runtime.jsView on unpkg · L45Findings
3 High2 Medium4 Low
HighChild Processdist/init/init-wizard.js
HighShell
HighRuntime Package Installdist/util/msm-exec-runtime.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings