Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcesetup.jsView file
5L6: import { spawn } from 'node:child_process';
L7: import fs from 'node:fs';
...
L10:
L11: const isWin = process.platform === 'win32';
L12: const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
...
L20: // clean exit (code 0). IMPORTANT on Windows: a missing command run via the shell
L21: // doesn't emit ENOENT — cmd.exe prints "not recognized" and exits with code 1 —
L22: // so we must check the exit code, not just that the process ran.
L23: function canRun(cmd) {
...
L35: if (isWin) {
L36: const localAppData = process.env.LOCALAPPDATA || path.join(os.homedir(), 'AppData', 'Local');
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
setup.jsView on unpkg · L5Findings
1 High3 Medium3 Low
HighSandbox Evasion Gated Capabilitysetup.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings