Static Scan Results
scanned 7d ago · by rust-scannerStatic analysis completed at 65.0% confidence. No malicious behavior was detected; 14 low-signal pattern(s) were surfaced and cleared.
Static reason
No blocking static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
CopyleftLicense
Source & flagged code
4 flagged · loading sourcesrc/httpApi.jsView file
56uploadExts = DEFAULT_UPLOAD_EXTS, maxUploadBytes = MAX_TRANSFER_BYTES,
L57: asrEnv = process.env, previews, previewDomain = null,
L58: home = homedir(), stateFile = process.env.CLAUDE_STATE_FILE || claudeStatePath(homedir()),
L59: } = {}) {
...
L61: r.use(expressAuth(token));
L62: r.use(express.json());
L63: const claudeEvents = events || createClaudeEvents({ commands, push });
...
L68:
L69: r.post('/sessions', async (req, res, next) => {
L70: const name = typeof req.body?.name === 'string' ? req.body.name.trim() : '';
...
L566: // POST {name,dir} registers a static dir served at /preview/<name>/; POST {name,port} registers a
L567: // dynamic reverse-proxy reachable at https://<name>.<DOMAIN>/ (only when previewDomain is set). The
Low
Weak Crypto
Package source references weak cryptographic algorithms.
src/httpApi.jsView on unpkg · L56src/cli/service.jsView file
2// keeps server + tunnel alive — same model as a foreground run, just parented by launchd/systemd.
L3: // The intended config is baked into the service file as a base64 payload (self-contained: no reliance
L4: // on config.json). Text generators are pure (unit-tested); the launchctl/systemctl calls inject `exec`.
L5: import fs from 'node:fs';
L6: import path from 'node:path';
L7: import { spawnSync } from 'node:child_process';
L8: import { pocketHome, logPath } from './state.js';
...
L56:
L57: export function installService(args, { home, platform = process.platform, exec = spawnSync, log = console } = {}) {
L58: if (platform === 'darwin') {
...
L63: const r = exec('launchctl', ['load', '-w', p], { encoding: 'utf8' });
L64: if (r.status !== 0) throw new Error(`launchctl load failed: ${r.stderr || r.status}`);
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
src/cli/service.jsView on unpkg · L2hooks/handmux-notify.shView file
•path = hooks/handmux-notify.sh
kind = build_helper
sizeBytes = 1752
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
hooks/handmux-notify.shView on unpkgpublic/fonts/TWUnifont.woff2View file
•path = public/fonts/TWUnifont.woff2
kind = high_entropy_blob
sizeBytes = 912400
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
public/fonts/TWUnifont.woff2View on unpkgFindings
1 High5 Medium8 Low
HighShips High Entropy Blobpublic/fonts/TWUnifont.woff2
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/cli/service.js
MediumShips Build Helperhooks/handmux-notify.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptosrc/httpApi.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License