Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNativeBindings
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node scripts/install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgscripts/install.jsView file
11Manifest entrypoint (scripts.postinstall) carries capability families absent from dist/build output: environment+network, execution+network
L11:
L12: const { spawnSync } = require('node:child_process');
L13: const { existsSync, rmSync } = require('node:fs');
...
L15:
L16: const LLAME_WORKER_REPO = 'https://github.com/developer239/llame-worker.git';
L17: const LLAME_WORKER_REF = '[redacted]';
L18:
L19: const rootDir = path.join(__dirname, '..');
L20: const vendorDir = path.join(rootDir, 'cpp', 'externals', 'llame-worker');
...
L49:
L50: if (process.env.LLAMEWORKER_SKIP_BUILD === '1') {
L51: console.log('[llama.cpp-ts] LLAMEWORKER_SKIP_BUILD=1 - skipping build.');
High
Entrypoint Build Divergence
Manifest entrypoint contains risky behavior absent from dist/build output.
scripts/install.jsView on unpkg · L11Findings
2 High3 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighEntrypoint Build Divergencescripts/install.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings