Static Scan Results
scanned 7d ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcescripts/oauth-pair.mjsView file
7* Env:
L8: * ZEGA_API_BASE optional, default https://api.zegaphone.com (or prior credentials.json api_base)
L9: * ZEGA_APP_BASE optional, default https://www.zegazone.com
...
L20: import os from "node:os";
L21: import { spawn } from "node:child_process";
L22:
...
L31: const raw = fs.readFileSync(credPath, "utf8");
L32: const parsed = JSON.parse(raw);
L33: if (typeof parsed.api_base === "string" && parsed.api_base.trim()) {
...
L42: function resolveApiBase(credPath) {
L43: const fromEnv = process.env.ZEGA_API_BASE?.trim();
L44: if (fromEnv) return normalizeApiBase(fromEnv);
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
scripts/oauth-pair.mjsView on unpkg · L7Findings
1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilityscripts/oauth-pair.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License