Static Scan Results
scanned 2d ago · by rust-scannerStatic analysis flagged 12 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsObfuscatedUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/server-HB7WJO3N.jsView file
9883contains invisible/control Unicode U+200B (zero width space)
const bodyText = rawBodyText.replace(/<U+200B>/g, " ").replace(/\s+/g, " ");
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
dist/server-HB7WJO3N.jsView on unpkg · L9883•Trigger-reachable chain: manifest.bin -> dist/bin/api-server.js -> dist/server-HB7WJO3N.js
Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/server-HB7WJO3N.jsView on unpkg188ctaHeadingItalic: "real data.",
L189: ctaBody: "MCP Scraper gives your AI workflows the web intelligence they need \u2014 SERP data, People Also Ask harvests, page extraction, YouTube transcripts, and more. All via API...
L190: sections: [
...
L451: answer: `<strong>ChatGPT makes things up because its RLHF training consistently rewarded fluent, complete-sounding answers \u2014 and human raters often cannot tell in the moment w...
L452: source: "https://techcrunch.com/2026/05/05/openai-releases-gpt-5-5-instant-a-new-default-model-for-chatgpt/"
L453: }
...
L499: question: "what is the hallucination rate of Claude in 2026",
L500: answer: `<strong>Claude's hallucination rate in 2026 spans from 0% (Claude Opus 4.1 on AA-Omniscience, via refusal) to 58% (Claude Opus 4.5 on the same benchmark when not configure...
L501: source: "https://medium.com/@anyapi.ai/llm-hallucination-index-2026-why-claude-4-6-7b2d13ed9f0c"
...
L1634: ],
L1635: interactiveHtml: `<div class="si si-codegen"><span class="si-heading">Generate your PAA API request</span><div class="si-codegen-inputs"><label class="si-label">Keyword<input class...
L1636: }
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/server-HB7WJO3N.jsView on unpkg · L188Findings
2 Critical3 Medium7 Low
CriticalTrojan Source Unicodedist/server-HB7WJO3N.js
CriticalTrigger Reachable Dangerous Capabilitydist/server-HB7WJO3N.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/server-HB7WJO3N.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License