Static Scan Results
scanned 5h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedUrlStrings
WildcardDependency
Source & flagged code
2 flagged · loading sourcebin/fclt.cjsView file
3L4: const fs = require("node:fs");
L5: const fsp = require("node:fs/promises");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/fclt.cjsView on unpkg · L3src/self-update.tsView file
98try {
L99: const txt = await Bun.file(path).text();
L100: return JSON.parse(txt) as InstallState;
...
L112: const envMethod =
L113: context.envInstallMethod ?? process.env.FACULT_INSTALL_METHOD?.trim();
L114: if (envMethod === "script-dev" || envMethod === "script-bin") {
...
L121: const exec = context.executablePath ?? process.execPath;
L122: const home = context.homeDir ?? homedir();
L123: if ([redacted](exec)) {
...
L203: stdin: "ignore",
L204: stdout: "pipe",
L205: stderr: "ignore",
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/self-update.tsView on unpkg · L98Findings
1 High5 Medium5 Low
HighSandbox Evasion Gated Capabilitysrc/self-update.ts
MediumDynamic Requirebin/fclt.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings