Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 5 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
EnvironmentVars
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/agent-candidate-schema-common.jsView file
8const githubComponentPattern = /^[A-Za-z0-9][A-Za-z0-9_.-]{0,99}$/;
L9: const secretNamePattern = /(?:^|[_-])(?:api[_-]?key|access[_-]?key|private[_-]?key|token|secret|password|credentials?|authorization|cookie|database[_-]?url|dsn|pat)(?:[_-]|$)/i;
L10: const obviousSecretValuePattern = /(?:\b(?:sk|gh[pousr]|github_pat|AKIA)[-_A-Za-z0-9]{12,}\b|-----BEGIN [A-Z ]*PRIVATE KEY-----|\bBearer\s+\S+)/;
...
L18: "cmd",
L19: "cmd.exe",
L20: "powershell",
...
L41: for (let index = 0; index < value.length; index++) {
L42: const code = value.charCodeAt(index);
L43: if (code >= 0xd800 && code <= 0xdbff) {
...
L92: try {
L93: const parsed = new URL(`http://${literal.includes(":") ? `[${literal}]` : literal}/`);
L94: hostname = parsed.hostname.replace(/^\[|\]$/g, "");
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/agent-candidate-schema-common.jsView on unpkg · L8Findings
1 High1 Medium3 Low
HighCloud Metadata Accessdist/agent-candidate-schema-common.js
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings