Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/src/core/updater/index.jsView file
1import { exec } from 'child_process';
L2: import fs from 'fs';
High
Child Process
Package source references child process execution.
dist/src/core/updater/index.jsView on unpkg · L1dist/src/core/daemon/client.jsView file
1import net from 'net';
L2: import path from 'path';
...
L5: import fs from 'fs';
L6: import { spawn } from 'child_process';
L7: import { fileURLToPath } from 'url';
L8: const __filename = fileURLToPath(import.meta.url);
L9: const __dirname = path.dirname(__filename);
L10: function getSocketPath(projectDir) {
L11: const isWin = process.platform === 'win32';
L12: const nameHash = Buffer.from(projectDir).toString('hex');
L13: if (isWin) {
...
L52: stdio: 'ignore', // run in background completely detached
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/src/core/daemon/client.jsView on unpkg · L1dist/src/cli/commands/init.jsView file
211const { spawn } = await import('child_process');
L212: const daemonProcess = spawn('npx', ['contextos', 'daemon'], {
L213: detached: true,
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/src/cli/commands/init.jsView on unpkg · L211Findings
3 High2 Medium6 Low
HighChild Processdist/src/core/updater/index.js
HighShell
HighRuntime Package Installdist/src/cli/commands/init.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/src/core/daemon/client.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings