Static Scan Results
scanned 1h ago · by rust-scannerStatic analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = create-deepspace@0.4.5
matchedIdentity = npm:Y3JlYXRlLWRlZXBzcGFjZQ:0.4.5
similarity = 0.957
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkg6import { fileURLToPath } from "url";
L7: import { execSync } from "child_process";
L8: import spawn from "cross-spawn";
High
333} catch (err) {
L334: s.stop("Skill install failed \u2014 see .deepspace/skill.err, then run `npx deepspace skills add`");
L335: try {
...
L346: const workerScript = join(__dirname, "install-worker.js");
L347: const worker = spawn(process.execPath, [workerScript, appDir], {
L348: cwd: appDir,
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L333Findings
1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings