Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/commands/mcp.jsView file
11name: "Cursor",
L12: getPath: () => path.join(process.cwd(), ".cursor", "mcp.json"),
L13: config: { mcpServers: { "assistant-ui": {
...
L40: getPath: () => {
L41: if (process.platform === "win32") return path.join(process.env.APPDATA || "", "Zed", "settings.json");
L42: if (process.platform === "darwin") return path.join(os.homedir(), ".zed", "settings.json");
...
L73: logger.break();
L74: const child = spawn("claude", [
L75: "mcp",
...
L85: logger.error(`Failed to install: ${error.message}`);
L86: logger.info("Make sure Claude Code CLI is installed: https://docs.anthropic.com/en/docs/claude-code");
L87: reject(error);
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/commands/mcp.jsView on unpkg · L11Findings
1 High3 Medium4 Low
HighSandbox Evasion Gated Capabilitydist/commands/mcp.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings