Static Scan Results
scanned 3d ago · by rust-scannerStatic analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessFilesystemShell
UrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.cjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgscripts/postinstall.cjsView file
15Manifest entrypoint (scripts.postinstall) carries capability families absent from dist/build output: execution+network
L15: const { join, dirname } = require('path');
L16: const { execSync } = require('child_process');
L17:
...
L37: function main() {
L38: const key = `${process.platform}-${process.arch}`;
L39: const pkg = PLATFORM_PACKAGES[key];
...
L49: try {
L50: const pkgJson = require.resolve(`${pkg}/package.json`);
L51: const binPath = join(dirname(pkgJson), 'bin', binName);
...
L73: const version = require('../package.json').version;
L74: const url = `https://github.com/${GITHUB_REPO}/releases/download/v${version}/${asset}`;
L75:
High
Entrypoint Build Divergence
Manifest entrypoint contains risky behavior absent from dist/build output.
scripts/postinstall.cjsView on unpkg · L15Findings
2 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
HighEntrypoint Build Divergencescripts/postinstall.cjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings