Static Scan Results
scanned 10h ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
9345"process.",
L9346: "child_process"
L9347: ];
High
9284},
L9285: // No new Function()
L9286: NewExpression: (node) => {
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/index.jsView on unpkg · L9284dist/services/node.jsView file
2Cross-file remote execution chain: dist/services/node.js spawns dist/index.js; helper contains network access plus dynamic code execution.
L2: import { timingSafeEqual } from "crypto";
L3: import { createServer } from "http";
L4: import { URL as URL2 } from "url";
...
L134: try {
L135: const parsed = JSON.parse(serialized);
L136: const validation = validateAiMutationPlan(parsed);
...
L718: canvasId: params.canvasId,
L719: includeXNetMetadata: searchParams.get("includeXNetMetadata") !== "false"
L720: })
...
L1440: * The narrow surface handed to built-in tool handlers and resource routes
L1441: * (`tools/`, `resources/`): closures over the private methods, so the class
L1442: * stays the facade and its public type is unchanged. The closures are lazy —
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/services/node.jsView on unpkg · L2Findings
2 High2 Medium5 Low
HighChild Processdist/index.js
HighCross File Remote Execution Contextdist/services/node.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings