Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/transport/nodeHttpPatch.jsView file
493}
L494: const require = createRequire(import.meta.url);
L495: const httpModule = require("node:http");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/transport/nodeHttpPatch.jsView on unpkg · L493dist/serverLifecycle.jsView file
1import { spawnSync } from "node:child_process";
L2: import { markDegraded } from "./failsafe.js";
...
L4: const CLI_UNREACHABLE_WARNING = "Sovara exec server is unreachable and could not be started. Install the " +
L5: "Sovara CLI (https://docs.sovara-labs.com) so it can manage the local exec " +
L6: "server, or set SOVARA_EXEC_SERVER_URL to a reachable server. Continuing " +
...
L14: function defaultWhich(name) {
L15: const res = spawnSync(process.platform === "win32" ? "where" : "which", [name], {
L16: encoding: "utf8",
...
L19: return null;
L20: return res.stdout.split(/\r?\n/)[0]?.trim() || null;
L21: }
...
L26: return false;
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/serverLifecycle.jsView on unpkg · L1Findings
1 High4 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/serverLifecycle.js
MediumDynamic Requiredist/transport/nodeHttpPatch.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings