Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStrings
Source & flagged code
1 flagged · loading sourcesrc/web-fetch.tsView file
17* - web.fetch is read-only by construction. Refuses non-GET, refuses
L18: * non-http(s), refuses private/loopback/metadata IPs. No subprocess
L19: * spawn, no redactEnv. Lower-risk surface, no modal needed.
...
L50: content_type: string | null
L51: body: string
L52: truncated: boolean
...
L141:
L142: export function makeWebFetch(): ToolDef<z.infer<typeof FetchSchema>> {
L143: return {
...
L181: const { bytes, truncated } = await collectUpToBytes(res.body, maxBytes)
L182: const text = new TextDecoder('utf-8', { fatal: false }).decode(bytes)
L183: const block = detectBlock(text, res.status, res.url)
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
src/web-fetch.tsView on unpkg · L17Findings
1 High3 Medium3 Low
HighCloud Metadata Accesssrc/web-fetch.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings