Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 6 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
UrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcebin/xevy.mjsView file
14*/
L15: import { spawnSync } from "node:child_process";
L16: import fs from "node:fs";
...
L24:
L25: const DEFAULT_BASE = "https://xevy.ai";
L26: const isWindows = process.platform === "win32";
L27:
...
L31: // Where `xevy setup` installs the extension and `xevy` loads it from.
L32: const XEVY_EXTENSIONS_DIR = path.join(os.homedir(), ".xevy", "extensions");
L33: const XEVY_EXTENSION_FILE = "xevy.ts";
...
L37: const CREDENTIALS_DIR = path.join(
L38: process.env.XDG_CONFIG_HOME || path.join(os.homedir(), ".config"),
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/xevy.mjsView on unpkg · L14Findings
1 High2 Medium3 Low
HighSandbox Evasion Gated Capabilitybin/xevy.mjs
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowUrl Strings
LowNo License