Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
3 flagged · loading sourcebin/install.jsView file
25const os = require("os");
L26: const { spawnSync } = require("child_process");
L27:
High
runtime/claude_auth.jsView file
3const path = require("node:path");
L4: const { spawn, spawnSync } = require("node:child_process");
L5:
...
L10: const ANTHROPIC_OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
L11: const ANTHROPIC_OAUTH_TOKEN_URL = "https://platform.claude.com/v1/oauth/token";
L12: const REFRESH_SAFETY_MARGIN_MS = 5 * 60 * 1000;
...
L14:
L15: function claudeCredentialsPaths(env = process.env) {
L16: const home = env.HOME || os.homedir();
L17: return [
...
L24: try {
L25: return JSON.parse(fs.readFileSync(file, "utf8"));
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
runtime/claude_auth.jsView on unpkg · L3runtime/commands/command-upgrade.jsView file
10const spawnSync = deps.spawnSync;
L11: const install = spawnSync("npm", ["install", "-g", "clawlabor@latest"], {
L12: encoding: "utf8",
...
L15: if (install.status !== 0) {
L16: throw new Error("Failed to upgrade ClawLabor with `npm install -g clawlabor@latest`");
L17: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
runtime/commands/command-upgrade.jsView on unpkg · L10Findings
3 High3 Medium5 Low
HighChild Processbin/install.js
HighSandbox Evasion Gated Capabilityruntime/claude_auth.js
HighRuntime Package Installruntime/commands/command-upgrade.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License