Static Scan Results
scanned 2d ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcelib/package-legitimacy.jsView file
1const { execFileSync } = require('child_process');
L2:
High
Child Process
Package source references child process execution.
lib/package-legitimacy.jsView on unpkg · L1lib/skillui-bridge.jsView file
95error: 'not-installed',
L96: installInstructions: 'npm install -g skillui'
L97: });
...
L109:
L110: const proc = spawn('npx', args, {
L111: cwd: projectRoot,
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
lib/skillui-bridge.jsView on unpkg · L95hooks/pre-tool-use.shView file
•path = hooks/pre-tool-use.sh
kind = build_helper
sizeBytes = 2440
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
hooks/pre-tool-use.shView on unpkgFindings
3 High4 Medium5 Low
HighChild Processlib/package-legitimacy.js
HighShell
HighRuntime Package Installlib/skillui-bridge.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperhooks/pre-tool-use.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings