Static Scan Results
scanned 4d ago · by rust-scannerStatic analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/flyctl-build.jsView file
3// Shells out to `flyctl deploy --build-only --push` (remote builder). Ported from firth.
L4: import { spawn } from 'node:child_process';
L5: import { existsSync, writeFileSync, unlinkSync } from 'node:fs';
...
L12: let output = '';
L13: child.stdout?.on('data', (b) => { const s = b.toString(); output += s; process.stdout.write(s); });
L14: child.stderr?.on('data', (b) => { const s = b.toString(); output += s; process.stderr.write(s); });
...
L46: try {
L47: const { code, output } = await run('flyctl', ['deploy', '--remote-only', '--build-only', '--push', '--app', opts.flyApp, '--image-label', opts.imageLabel, '--no-cache'], { cwd: opt...
L48: if (code !== 0)
...
L69: return;
L70: if (process.platform === 'darwin' && (await ok('brew', ['--version']))) {
L71: info('flyctl not found — installing with `brew install flyctl` (one-time)…');
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/flyctl-build.jsView on unpkg · L3dist/ensure-skills.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = insta@0.0.4
matchedIdentity = npm:aW5zdGE:0.0.4
similarity = 0.957
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/ensure-skills.jsView on unpkgFindings
2 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/flyctl-build.js
HighPrevious Version Dangerous Deltadist/ensure-skills.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings