Static Scan Results
scanned 3d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNativeBindings
HighEntropyStringsUrlStrings
Source & flagged code
5 flagged · loading sourcepackage.jsonView file
•scripts.install = npx node-pre-gyp install --fallback-to-build
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.install = npx node-pre-gyp install --fallback-to-build
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgtools/list-libraries.jsView file
5* Driven by the CLI: `node-gtk list [filter] [options]`. The names/versions it
L6: * prints are exactly what you pass to `require()` / the `gi:` import scheme /
L7: * `generate-types` (e.g. `Gtk-4.0`).
Medium
Dynamic Require
Package source references dynamic require/import behavior.
tools/list-libraries.jsView on unpkg · L5lib/binding/node-v127-linux-x64/node_gtk.nodeView file
•path = lib/binding/node-v127-linux-x64/node_gtk.node
kind = native_binary
sizeBytes = 4087720
magicHex = [redacted]
Medium
Ships Native Binary
Package ships native binary artifacts.
lib/binding/node-v127-linux-x64/node_gtk.nodeView on unpkgbinding.gypView file
•path = binding.gyp
kind = build_helper
sizeBytes = 5714
magicHex = [redacted]
Medium
Findings
1 High6 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiretools/list-libraries.js
MediumEnvironment Vars
MediumShips Native Binarylib/binding/node-v127-linux-x64/node_gtk.node
MediumShips Build Helperbinding.gyp
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings