Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 22 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Decision evidence
public snapshotSource & flagged code
12 flagged · loading sourcePackage contains a critical-looking secret pattern.
dist/tests/stages/util.test.jsView on unpkg · L88AWS access key ID in dist/tests/stages/util.test.js
dist/tests/stages/util.test.jsView on unpkg · L88Package source references child process execution.
dist/tests/core/checkpoint.test.jsView on unpkg · L16Package source references a known benign dynamic code generation pattern.
dist/tests/stages/ai-hints-forbidden-pattern.test.jsView on unpkg · L22Package source references dynamic require/import behavior.
dist/tests/optimizer/infer-depends-on.test.jsView on unpkg · L124A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/clad.jsView on unpkg · L743Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/clad.jsView on unpkg · L419Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
dist/clad.jsView on unpkg · L6Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/clad.jsView on unpkg · L6Package source invokes a package manager install command at runtime.
dist/tests/cli/graph-export-pipe.test.jsView on unpkg · L19Stripe live secret key in dist/conformance/runner.js
dist/conformance/runner.jsView on unpkg · L252