Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoFilesystemNetworkShell
HighEntropyStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/download-xcframework.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgscripts/download-xcframework.mjsView file
13Manifest entrypoint (scripts.postinstall) carries capability families absent from dist/build output: execution+network
L13: import { mkdir, readFile, rm, writeFile } from 'node:fs/promises';
L14: import { execFileSync } from 'node:child_process';
L15: import { dirname, join } from 'node:path';
...
L18: const root = dirname(dirname(fileURLToPath(import.meta.url)));
L19: const manifest = JSON.parse(await readFile(join(root, 'vendor-manifest.json'), 'utf8'));
L20: const { url, sha256 } = manifest['libghostty-spm'].xcframework;
...
L34: console.log(`[expo-libghostty] downloading GhosttyKit.xcframework (${url})`);
L35: const response = await fetch(url, { redirect: 'follow' });
L36: if (!response.ok) throw new Error(`download failed: HTTP ${response.status}`);
High
Entrypoint Build Divergence
Manifest entrypoint contains risky behavior absent from dist/build output.
scripts/download-xcframework.mjsView on unpkg · L13scripts/sync-vendor.shView file
•path = scripts/sync-vendor.sh
kind = build_helper
sizeBytes = 2515
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
scripts/sync-vendor.shView on unpkgFindings
2 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighEntrypoint Build Divergencescripts/download-xcframework.mjs
MediumNetwork
MediumShips Build Helperscripts/sync-vendor.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings