Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourceinstall.jsView file
7import { fileURLToPath, pathToFileURL } from 'node:url';
L8: import { execSync } from 'node:child_process';
L9: import { createRequire } from 'node:module';
High
215// the runtime). Leaving them in means a later manual `npm install` in
L216: // ~/.claude/gsd fails under cmd.exe on Windows (issue #2).
L217: if (DRY_RUN) {
High
215// the runtime). Leaving them in means a later manual `npm install` in
L216: // ~/.claude/gsd fails under cmd.exe on Windows (issue #2).
L217: if (DRY_RUN) {
...
L230: copyFile(join(__dirname, 'uninstall.js'), join(RUNTIME_DIR, 'uninstall.js'), 'runtime/uninstall.js → ~/.claude/gsd/uninstall.js');
L231: // Copy lock file so `npm ci` works when node_modules are not present (npx scenario)
L232: const lockFile = join(__dirname, 'package-lock.json');
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
install.jsView on unpkg · L215hooks/gsd-statusline.cjsView file
5L6: const fs = require('node:fs');
L7: const path = require('node:path');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
hooks/gsd-statusline.cjsView on unpkg · L5Findings
3 High4 Medium5 Low
HighChild Processinstall.js
HighShellinstall.js
HighRuntime Package Installinstall.js
MediumDynamic Requirehooks/gsd-statusline.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings