Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcesrc/batch.mjsView file
37export const MANIFEST_JSON_SCHEMA = Object.freeze({
L38: $schema: 'https://json-schema.org/draft/2020-12/schema',
L39: $id: 'https://youtubebrief.com/schemas/youtubebrief-batch-manifest.schema.json',
...
L123:
L124: if (isLocalOrPrivateHostname(hostname)) {
L125: throw new CliError('Unsafe YouTube URL host. Local, private, and metadata hosts are not allowed.');
...
L289: try {
L290: parsed = JSON.parse(await readFile(manifestPath, 'utf8'));
L291: } catch (error) {
L292: if (error && error.code === 'ENOENT') {
L293: throw new CliError(`Cannot resume batch: missing manifest.json in ${path.resolve(outDir)}.`, { exitCode: BATCH_EXIT_CODES.manifest });
L294: }
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
src/batch.mjsView on unpkg · L37Findings
1 High2 Medium5 Low
HighCloud Metadata Accesssrc/batch.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings