Static Scan Results
scanned 2d ago · by rust-scannerStatic analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
70*/
L71: const node_child_process_1 = require("node:child_process");
L72: const fs = __importStar(require("node:fs"));
...
L77: /** Public seed repository. Cloned credential-free over HTTPS. */
L78: const DEFAULT_SEED_REPO = 'https://github.com/Clarittyai/agentic-app-seed.git';
L79: /**
...
L118: // --- Tiny ANSI helpers (no deps) ---------------------------------------------
L119: const supportsColor = process.stdout.isTTY && process.env.NO_COLOR === undefined;
L120: const paint = (code, s) => (supportsColor ? `\x1b[${code}m${s}\x1b[0m` : s);
...
L167: const SPIN_FRAMES = ['⠋', '⠙', '⠹', '⠸', '⠼', '⠴', '⠦', '⠧', '⠇', '⠏'];
L168: const spinTTY = !!process.stdout.isTTY && process.env.NO_COLOR === undefined && process.env.CI === undefined;
L169: let activeSpinner = null;
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/index.jsView on unpkg · L70•matchType = previous_version_dangerous_delta
matchedPackage = create-claritty-app@0.6.6
matchedIdentity = npm:Y3JlYXRlLWNsYXJpdHR5LWFwcA:0.6.6
similarity = 0.500
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkgFindings
2 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/index.js
HighPrevious Version Dangerous Deltadist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings