Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcebin/cli.jsView file
6const path = require('path');
L7: const { execSync, spawnSync } = require('child_process');
L8: const readline = require('readline');
High
456try {
L457: const https = require('https');
L458: const result = spawnSync(process.execPath, [
L459: '-e',
L460: `const https=require('https');const r=https.request('https://api.evolink.ai/v1/credits',{method:'GET',headers:{'Authorization':'Bearer ${key.replace(/'/g, "\\'")}'}, timeout:10000}...
L461: ], { encoding: 'utf8', stdio: 'pipe', timeout: 15000 });
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
bin/cli.jsView on unpkg · L4566const path = require('path');
L7: const { execSync, spawnSync } = require('child_process');
L8: const readline = require('readline');
...
L20: // ── Package root (resolve relative to this script) ───────────────────────────
L21: const PKG_ROOT = path.resolve(__dirname, '..');
L22: // gemini-omni-flash-text-to-video — folder name under <skills-dir>/ where this skill installs (kebab-case, matches _meta.json slug)
L23: const SKILL_SLUG = 'gemini-omni-flash-text-to-video';
L24: const PKG_JSON = JSON.parse(fs.readFileSync(path.join(PKG_ROOT, 'package.json'), 'utf8'));
L25: const PKG_VERSION = PKG_JSON.version;
L26: const PKG_NAME = PKG_JSON.name;
L27: const INSTALL_KEY_URL = 'https://evolink.ai/dashboard/keys?utm_source=skill&utm_medium=install&utm_campaign=gemini-omni-flash-text-to-video';
L28:
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
bin/cli.jsView on unpkg · L6examples/python/complete_flow.pyView file
•path = examples/python/complete_flow.py
kind = build_helper
sizeBytes = 3491
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
examples/python/complete_flow.pyView on unpkgFindings
2 High5 Medium4 Low
HighChild Processbin/cli.js
HighCommand Output Exfiltrationbin/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/cli.js
MediumShips Build Helperexamples/python/complete_flow.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings