registry  /  core-ai-worker  /  1.0.3

core-ai-worker@1.0.3

Lend your CPU to the Core AI network — one command with your Solana wallet, no clone.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 18.9 KB of source, external domains: api.blacktroll.meme, ollama.com

Source & flagged code

1 flagged · loading source
setup.jsView file
5L6: import { spawn } from 'node:child_process'; L7: import fs from 'node:fs'; ... L10: L11: const isWin = process.platform === 'win32'; L12: const sleep = (ms) => new Promise((r) => setTimeout(r, ms)); ... L20: // clean exit (code 0). IMPORTANT on Windows: a missing command run via the shell L21: // doesn't emit ENOENT — cmd.exe prints "not recognized" and exits with code 1 — L22: // so we must check the exit code, not just that the process ran. L23: function canRun(cmd) { ... L35: if (isWin) { L36: const localAppData = process.env.LOCALAPPDATA || path.join(os.homedir(), 'AppData', 'Local');
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

setup.jsView on unpkg · L5

Findings

1 High3 Medium3 Low
HighSandbox Evasion Gated Capabilitysetup.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings