Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 6 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessFilesystem
UrlStrings
Source & flagged code
2 flagged · loading sourcescripts/cli.jsView file
12L13: const { execSync } = require('child_process');
L14: const path = require('path');
...
L16:
L17: const PKG_ROOT = path.resolve(__dirname, '..');
L18: const SCRIPTS_DIR = path.join(PKG_ROOT, 'scripts');
L19: const PLATFORMS = ['trae', 'claude-code', 'codex', 'cursor', 'codebuddy', 'qoder', 'zcode'];
L20: // 从 package.json 动态读取版本号,避免硬编码不同步(与 logger.ts 同模式)
L21: const VERSION = require('../package.json').version;
...
L74: function runInstall(extraArgs) {
L75: if (process.platform === 'win32') {
L76: runPowerShell('install.ps1', extraArgs);
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
scripts/cli.jsView on unpkg · L12scripts/uninstall.ps1View file
•path = scripts/uninstall.ps1
kind = build_helper
sizeBytes = 18544
magicHex = [redacted]
Medium
Ships Build Helper
Package ships non-JavaScript build or shell helper files.
scripts/uninstall.ps1View on unpkgFindings
1 High2 Medium3 Low
HighSandbox Evasion Gated Capabilityscripts/cli.js
MediumShips Build Helperscripts/uninstall.ps1
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings