Static Scan Results
scanned 2d ago · by rust-scannerStatic analysis completed at 65.0% confidence. No malicious behavior was detected; 10 low-signal pattern(s) were surfaced and cleared.
Static reason
No blocking static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/src/agent/node-pairing-bridge.jsView file
62throw new Error("node-pairing module not found in OpenClaw dist");
L63: // ESM import() returns the minified export names (r, t, …) because the
L64: // bundled module uses `export { listNodePairing as r, … }`. Resolve the
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/src/agent/node-pairing-bridge.jsView on unpkg · L62install.jsView file
1Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, execution+network
L1: #!/usr/bin/env node
L2: import { execSync } from "node:child_process";
L3: import { existsSync, readFileSync, writeFileSync, rmSync } from "node:fs";
...
L6:
L7: const sudoUser = process.env.SUDO_USER;
L8:
L9: function realHome() {
L10: if (!sudoUser) return homedir();
L11: const current = homedir();
...
L72: if (!hasOpenclaw()) {
L73: err("openclaw is required but not found. Install OpenClaw first: https://docs.openclaw.ai");
L74: process.exit(1);
High
Entrypoint Build Divergence
Manifest entrypoint contains risky behavior absent from dist/build output.
install.jsView on unpkg · L1Findings
1 High4 Medium5 Low
HighEntrypoint Build Divergenceinstall.js
MediumDynamic Requiredist/src/agent/node-pairing-bridge.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings