Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessDynamicRequireFilesystemShell
HighEntropyStrings
Source & flagged code
4 flagged · loading sourcebin/claude-collab-plugin.jsView file
61// Fallback: spawn `collab-doctor --version` (or scan its --json for version).
L62: const { spawnSync } = require('child_process');
L63: const r = spawnSync('collab-doctor --json', [], {
High
Child Process
Package source references child process execution.
bin/claude-collab-plugin.jsView on unpkg · L6166windowsHide: true,
L67: shell: true,
L68: });
High
15L16: const path = require('path');
L17:
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/claude-collab-plugin.jsView on unpkg · L15src/plugin-doctor.jsView file
81// require() resolution issue (cwd can't see packages installed via
L82: // `npm install -g`). On Windows we need `shell: true` so the shell
L83: // resolves `collab-doctor` to `collab-doctor.cmd` (PATHEXT).
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
src/plugin-doctor.jsView on unpkg · L81Findings
3 High2 Medium3 Low
HighChild Processbin/claude-collab-plugin.js
HighShellbin/claude-collab-plugin.js
HighRuntime Package Installsrc/plugin-doctor.js
MediumDynamic Requirebin/claude-collab-plugin.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings