Static Scan Results
scanned 4d ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcebin/doctor.mjsView file
14import { fileURLToPath } from "node:url";
L15: import { spawnSync } from "node:child_process";
L16: import { userDir, readJson, loadConfig } from "../hooks/lib/state.mjs";
High
cli.mjsView file
262const { fileURLToPath } = await import("node:url");
L263: const { spawnSync } = await import("node:child_process");
L264: const KIT = dirname(fileURLToPath(import.meta.url));
...
L271: if (!script || script === candidates[2]) {
L272: say(pc.yellow("no kitstarter engine installed here - run: npx kitstarter-cli"));
L273: process.exit(1);
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
cli.mjsView on unpkg · L262Findings
3 High3 Medium4 Low
HighChild Processbin/doctor.mjs
HighShell
HighRuntime Package Installcli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License