Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsEvalFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/bin.jsView file
2404// ../engine/dist/command-verifier.js
L2405: import { spawn } from "node:child_process";
L2406: import { StringDecoder } from "node:string_decoder";
High
2059const fetchImpl = opts.fetchImpl ?? fetch;
L2060: const baseURL = (opts.baseURL ?? env.OPENAI_BASE_URL ?? DEFAULT_OPENAI_BASE_URL).replace(/\/+$/, "");
L2061: let parsedScheme;
...
L2404: // ../engine/dist/command-verifier.js
L2405: import { spawn } from "node:child_process";
L2406: import { StringDecoder } from "node:string_decoder";
...
L2841: const mk = async (wasm) => {
L2842: const lang = await Parser.Language.load(readFileSync(vendorWasm(wasm)));
L2843: const p = new Parser();
High
Remote Agent Bridge
Source exposes local file and command tools to a remote model endpoint.
dist/bin.jsView on unpkg · L2059vendor/tree-sitter/tree-sitter.wasmView file
•path = vendor/tree-sitter/tree-sitter.wasm
kind = wasm_module
sizeBytes = 188635
magicHex = [redacted]
Medium
Findings
3 High3 Medium6 Low
HighChild Processdist/bin.js
HighShell
HighRemote Agent Bridgedist/bin.js
MediumEnvironment Vars
MediumShips Wasm Modulevendor/tree-sitter/tree-sitter.wasm
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings