Static Scan Results
scanned 1d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessFilesystemShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcedist/scaffold.jsView file
1import { spawn } from 'node:child_process';
L2: import { copyFileSync, existsSync, mkdirSync, readdirSync, readFileSync, writeFileSync } from 'node:fs';
High
56stdio: 'inherit',
L57: shell: true,
L58: });
High
80try {
L81: await exec('git', ['init'], dest);
L82: log.success('Git repository initialized.');
...
L94: catch {
L95: log.warn('bun install failed — run it yourself later.');
L96: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/scaffold.jsView on unpkg · L80template/scripts/db-migrate.shView file
•path = template/scripts/db-migrate.sh
kind = build_helper
sizeBytes = 418
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
template/scripts/db-migrate.shView on unpkgFindings
3 High2 Medium6 Low
HighChild Processdist/scaffold.js
HighShelldist/scaffold.js
HighRuntime Package Installdist/scaffold.js
MediumShips Build Helpertemplate/scripts/db-migrate.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License