Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
EnvironmentVarsNetwork
HighEntropyStringsUrlStrings
CopyleftLicenseWildcardDependency
Source & flagged code
2 flagged · loading sourcedist/email.provider.jsView file
25// Check for required environment variables
L26: if (!process.env.TML_PROVIDER_EMAIL_SERVER_HOST)
L27: throw new Error('Missing required environment variable: TML_PROVIDER_EMAIL_SERVER_HOST');
...
L92: return this._refreshToken.token;
L93: const requestBody = new URLSearchParams({
L94: client_id: process.env.TML_PROVIDER_EMAIL_AUTH_CLIENT_ID,
...
L96: grant_type: 'client_credentials',
L97: scope: 'https://outlook.office365.com/.default',
L98: }).toString();
...
L105: });
L106: const responseText = await response.text();
L107: if (!response.ok) {
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/email.provider.jsView on unpkg · L2525Trigger-reachable chain: manifest.main -> dist/index.js -> dist/email.provider.js
L25: // Check for required environment variables
L26: if (!process.env.TML_PROVIDER_EMAIL_SERVER_HOST)
L27: throw new Error('Missing required environment variable: TML_PROVIDER_EMAIL_SERVER_HOST');
...
L92: return this._refreshToken.token;
L93: const requestBody = new URLSearchParams({
L94: client_id: process.env.TML_PROVIDER_EMAIL_AUTH_CLIENT_ID,
...
L96: grant_type: 'client_credentials',
L97: scope: 'https://outlook.office365.com/.default',
L98: }).toString();
...
L105: });
L106: const responseText = await response.text();
L107: if (!response.ok) {
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/email.provider.jsView on unpkg · L25Findings
2 Critical4 Medium4 Low
CriticalCredential Exfiltrationdist/email.provider.js
CriticalTrigger Reachable Dangerous Capabilitydist/email.provider.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License