Static Scan Results
scanned 7h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/mcp-server.jsView file
301function createSection() {
L302: return { key: "", data: "", content: "" };
L303: }
...
L770: if (ch === "_") continue;
L771: if (!isHexCode(data.charCodeAt(index))) return false;
L772: hasDigits = true;
...
L1389: if (ast.body[0].expression.body.type === "BlockStatement") {
L1390: return new Function(params, source.slice(body[0] + 1, body[1] - 1));
L1391: }
...
L4463: const resolved = import_node_path5.default.resolve(projectRoot);
L4464: return process.platform === "win32" ? resolved.toLowerCase() : resolved;
L4465: }
High
Obfuscated Payload Loader
Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
dist/mcp-server.jsView on unpkg · L3011389if (ast.body[0].expression.body.type === "BlockStatement") {
L1390: return new Function(params, source.slice(body[0] + 1, body[1] - 1));
L1391: }
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/mcp-server.jsView on unpkg · L1389Findings
1 High3 Medium7 Low
HighObfuscated Payload Loaderdist/mcp-server.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/mcp-server.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License