Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
14// src/lib/install.ts
L15: import { spawn } from "child_process";
L16:
High
124await new Promise((resolve, reject) => {
L125: const child = spawn(command, args, { cwd, stdio: "ignore", shell: process.platform === "win32" });
L126: child.on("error", reject);
...
L134: // src/lib/registry.ts
L135: var DEFAULT_REGISTRY_URL = "https://www.boardui.com/r";
L136: function registryBaseUrl() {
L137: return (process.env.BOARDUI_REGISTRY_URL ?? DEFAULT_REGISTRY_URL).replace(/\/$/, "");
L138: }
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L12414// src/lib/install.ts
L15: import { spawn } from "child_process";
L16:
...
L75: }
L76: return JSON.parse(out.replace(/,\s*([}\]])/g, "$1"));
L77: }
L78: function readProject(cwd) {
L79: const pkgPath = path.join(cwd, "package.json");
L80: if (!existsSync(pkgPath)) {
...
L124: await new Promise((resolve, reject) => {
L125: const child = spawn(command, args, { cwd, stdio: "ignore", shell: process.platform === "win32" });
L126: child.on("error", reject);
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/index.jsView on unpkg · L14Findings
4 High3 Medium5 Low
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings