Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcebin/buildwithnexus.jsView file
7const path = require('path');
L8: const { spawnSync } = require('child_process');
L9: const { existing, platformPackage, target } = require('../scripts/resolve-binary.js');
...
L17: const fs = require('fs');
L18: process.stderr.write(
L19: `buildwithnexus: no prebuilt binary is installed for ${process.platform} ${process.arch}.\n` +
L20: ' Download the checksum-verified binary from the GitHub release now? [y/N] '
...
L28: const n = fs.readSync(fd, buf, 0, 64, null);
L29: return /^y(es)?$/i.test(buf.toString('utf8', 0, n).trim());
L30: } catch {
...
L48: flagIdx !== -1 ||
L49: process.env.BWN_ALLOW_BOOTSTRAP === '1' ||
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/buildwithnexus.jsView on unpkg · L76// binary itself handles update checks.
L7: const path = require('path');
L8: const { spawnSync } = require('child_process');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/buildwithnexus.jsView on unpkg · L6Findings
1 High4 Medium4 Low
HighSandbox Evasion Gated Capabilitybin/buildwithnexus.js
MediumDynamic Requirebin/buildwithnexus.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings