Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 6 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessShell
UrlStrings
Source & flagged code
3 flagged · loading sourcebin/redirect.jsView file
4L5: import { spawn } from "node:child_process";
L6:
High
4L5: import { spawn } from "node:child_process";
L6:
...
L9: "[novada-search] Forwarding to: npx novada-mcp " + process.argv.slice(2).join(" ") + "\n" +
L10: "[novada-search] Get an API key with $10 free credits at https://novada.com\n"
L11: );
...
L15: stdio: "inherit",
L16: shell: process.platform === "win32",
L17: });
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/redirect.jsView on unpkg · L413const args = process.argv.slice(2);
L14: const child = spawn("npx", ["-y", "novada-mcp", ...args], {
L15: stdio: "inherit",
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/redirect.jsView on unpkg · L13Findings
4 High1 Medium1 Low
HighChild Processbin/redirect.js
HighShell
HighSandbox Evasion Gated Capabilitybin/redirect.js
HighRuntime Package Installbin/redirect.js
MediumStructural Risk Force Deep Review
LowUrl Strings