Static Scan Results
scanned 1h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsEvalFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
16706// src/bridge.ts
L16707: import { spawn } from "node:child_process";
L16708: import { fileURLToPath } from "node:url";
High
54Cross-file remote execution chain: dist/index.js spawns dist/broker.js; helper contains network access plus dynamic code execution.
L54: kStatusCode: Symbol("status-code"),
L55: kWebSocket: Symbol("websocket"),
L56: NOOP: () => {
...
L107: } else {
L108: buf = Buffer.from(data);
L109: toBuffer.readOnly = false;
...
L119: };
L120: if (!process.env.WS_NO_BUFFER_UTIL) {
L121: try {
...
L171: *
L172: * @private
L173: */
High
Cross File Remote Execution Context
Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.
dist/index.jsView on unpkg · L546627sourceCode = this.opts.code.process(sourceCode, sch);
L6628: const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode);
L6629: const validate = makeValidate(this, this.scope.get());
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/index.jsView on unpkg · L6627Findings
3 High1 Medium6 Low
HighChild Processdist/index.js
HighShell
HighCross File Remote Execution Contextdist/index.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings