Static Scan Results
scanned 14d ago · by rust-scannerStatic analysis flagged 9 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
ChildProcessDynamicRequireFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcescripts/sync-skills.jsView file
8* 5. commit + push в оба репо
L9: * 6. npm version <bump> + git push --tags + npm publish (только docs-skills)
L10: *
...
L26: const path = require('path');
L27: const { execSync, spawnSync } = require('child_process');
L28:
L29: const REPO_ROOT = path.resolve(__dirname, '..');
L30: const DOCSBOOK_ROOT = '/[redacted]';
...
L34: const DOCSBOOK_README = path.join(DOCSBOOK_ROOT, 'README.md');
L35: const PKG_JSON = path.join(REPO_ROOT, 'package.json');
L36:
...
L66: function readIndex() {
Critical
Npm Publish Worm
Source mutates package metadata and republishes itself to npm.
scripts/sync-skills.jsView on unpkg · L826const path = require('path');
L27: const { execSync, spawnSync } = require('child_process');
L28:
High
Child Process
Package source references child process execution.
scripts/sync-skills.jsView on unpkg · L26bin/docs-skills.jsView file
1#!/usr/bin/env node
L2: const path = require('path');
L3: const fs = require('fs');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/docs-skills.jsView on unpkg · L1Findings
1 Critical2 High2 Medium4 Low
CriticalNpm Publish Wormscripts/sync-skills.js
HighChild Processscripts/sync-skills.js
HighShell
MediumDynamic Requirebin/docs-skills.js
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings