Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 9 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/commands/billing.jsView file
1import { execSync } from 'child_process';
L2: import { requireApiKey } from '../config.js';
...
L19: function openBrowser(url) {
L20: const platform = process.platform;
L21: try {
...
L46: console.log(chalk.dim(' Add balance: badgr billing add 10'));
L47: console.log(chalk.dim(' Or visit: https://aibadgr.com/billing/top-up'));
L48: }
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/commands/billing.jsView on unpkg · L1src/commands/train.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = badgr-cli@1.0.42
matchedIdentity = npm:YmFkZ3ItY2xp:1.0.42
similarity = 0.708
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
src/commands/train.jsView on unpkgFindings
2 High3 Medium4 Low
HighSandbox Evasion Gated Capabilitysrc/commands/billing.js
HighPrevious Version Dangerous Deltasrc/commands/train.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings