Static Scan Results
scanned 9d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
6import { fileURLToPath } from "url";
L7: import { execSync } from "child_process";
L8: import spawn from "cross-spawn";
High
322} catch (err) {
L323: s.stop("Skill install failed \u2014 see .deepspace/skill.err, then run `npx deepspace skills add`");
L324: try {
...
L335: const workerScript = join(__dirname, "install-worker.js");
L336: const worker = spawn(process.execPath, [workerScript, appDir], {
L337: cwd: appDir,
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L322Findings
3 High3 Medium5 Low
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings