Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
6 flagged · loading sourcedist/packages/core/src/api/auth/sso.jsView file
36patternName = generic_password
severity = medium
line = 36
matchedText = password...nt',
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/packages/core/src/api/auth/sso.jsView on unpkg · L36dist/index.jsView file
512const cmd = process.platform === 'win32' ? 'start' : process.platform === 'darwin' ? 'open' : 'xdg-open';
L513: require('child_process').exec(`${cmd} http://localhost:${port}/admin`);
L514: }
High
dist/database/adapters/AotBridge.jsView file
30try {
L31: // Convert absolute Windows paths to file:// URLs for ESM import() compatibility
L32: const fileUrl = pathToFileURL(fileToLoad).href;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/database/adapters/AotBridge.jsView on unpkg · L30dist/packages/core/src/services/flow-engine.jsView file
121status: 'running',
L122: context: { payload, env: process.env },
L123: completedNodes: {},
...
L321: else {
L322: const headers = config.headers ? JSON.parse(config.headers) : {};
L323: const body = config.body ? JSON.parse(config.body) : context.payload || context;
L324: const method = config.method || 'POST';
L325: const res = await fetch(config.url, {
L326: method,
L327: headers: { 'Content-Type': 'application/json', ...headers },
L328: body: method !== 'GET' ? JSON.stringify(body) : undefined
L329: });
Medium
Unsafe Vm Context
Package source executes code through a VM context API.
dist/packages/core/src/services/flow-engine.jsView on unpkg · L121dist/packages/core/src/api/system/audit-logs.jsView file
183try {
L184: execSync(`npx tsx "${scriptPath}"`, { stdio: 'inherit' });
L185: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/packages/core/src/api/system/audit-logs.jsView on unpkg · L183dist/api/auth/sso.jsView file
36patternName = generic_password
severity = medium
line = 36
matchedText = password...nt',
Medium
Findings
2 High7 Medium5 Low
HighChild Processdist/index.js
HighRuntime Package Installdist/packages/core/src/api/system/audit-logs.js
MediumSecret Patterndist/packages/core/src/api/auth/sso.js
MediumDynamic Requiredist/database/adapters/AotBridge.js
MediumUnsafe Vm Contextdist/packages/core/src/services/flow-engine.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/api/auth/sso.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License