Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 6 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcess
UrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcebin/at1.cjsView file
12*/
L13: const { spawnSync } = require("node:child_process");
L14:
High
12*/
L13: const { spawnSync } = require("node:child_process");
L14:
L15: function resolveBinary() {
L16: const platform = process.platform; // 'win32' | 'darwin' | 'linux'
L17: const arch = process.arch; // 'x64' | 'arm64'
...
L27: if (!bin) {
L28: process.stderr.write(
L29: `AT-1: no prebuilt binary for ${process.platform}-${process.arch}.\n` +
...
L31: `If you're on one of those, reinstall so the platform package is fetched ` +
L32: `(e.g. npm i -g @tinyfiles/cli). On other platforms, use the desktop app: https://tinyfiles.io/download.\n`
L33: );
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/at1.cjsView on unpkg · L1231`If you're on one of those, reinstall so the platform package is fetched ` +
L32: `(e.g. npm i -g @tinyfiles/cli). On other platforms, use the desktop app: https://tinyfiles.io/download.\n`
L33: );
...
L36:
L37: const res = spawnSync(bin, process.argv.slice(2), { stdio: "inherit" });
L38: if (res.error) {
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/at1.cjsView on unpkg · L31Findings
3 High1 Medium2 Low
HighChild Processbin/at1.cjs
HighSandbox Evasion Gated Capabilitybin/at1.cjs
HighRuntime Package Installbin/at1.cjs
MediumStructural Risk Force Deep Review
LowUrl Strings
LowNo License