Static Scan Results
scanned 10d ago · by rust-scannerStatic analysis flagged 39 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Decision evidence
public snapshotSource & flagged code
30 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
dist/.build/next/server/app/api/v1/music/generations/route.jsView on unpkg · L1RSA private key in dist/.build/next/server/app/api/v1/music/generations/route.js
dist/.build/next/server/app/api/v1/music/generations/route.jsView on unpkg · L1Package source references child process execution.
bin/cli/runtime/nativeDeps.mjsView on unpkg · L10Package source references a known benign dynamic code generation pattern.
src/lib/middleware/registry.tsView on unpkg · L72Manifest entrypoint contains risky behavior absent from dist/build output.
bin/omniroute.mjsView on unpkg · L28Package source references dynamic require/import behavior.
bin/omniroute.mjsView on unpkg · L24Package source executes code through a VM context API.
open-sse/executors/duckduckgo-web/challenge.tsView on unpkg · L59Package source references weak cryptographic algorithms.
dist/responses-ws-proxy.mjsView on unpkg · L2Source writes installer persistence such as shell profile or service configuration.
bin/cli/tray/autostart.mjsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
open-sse/executors/devin-cli.tsView on unpkg · L28Source reaches cloud instance metadata or link-local credential endpoints.
src/shared/constants/featureFlagDefinitions.tsView on unpkg · L87Package source invokes a package manager install command at runtime.
bin/cli/runtime/trayRuntime.tsView on unpkg · L3Package ships non-JavaScript build or shell helper files.
bin/cli/tray/tray.ps1View on unpkgPackage ships high-entropy non-source blobs.
dist/.build/next/static/media/material-symbols-outlined.18ac682d.woff2View on unpkgPackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
dist/.build/next/server/chunks/98512.jsView on unpkgPackage contains source files above the static scanner size ceiling.
dist/.build/next/server/chunks/98512.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/server.jsView on unpkgHardcoded password in dist/.build/next/server/app/forgot-password/page.js
dist/.build/next/server/app/forgot-password/page.jsView on unpkg · L2RSA private key in dist/.build/next/server/app/api/v1/audio/speech/route.js
dist/.build/next/server/app/api/v1/audio/speech/route.jsView on unpkg · L40RSA private key in dist/.build/next/server/chunks/35110.js
dist/.build/next/server/chunks/35110.jsView on unpkg · L18RSA private key in dist/.build/next/server/chunks/3107.js
dist/.build/next/server/chunks/3107.jsView on unpkg · L1RSA private key in dist/.build/next/server/chunks/18158.js
dist/.build/next/server/chunks/18158.jsView on unpkg · L25RSA private key in dist/.build/next/server/chunks/12044.js
dist/.build/next/server/chunks/12044.jsView on unpkg · L1RSA private key in dist/.build/next/server/chunks/22686.js
dist/.build/next/server/chunks/22686.jsView on unpkg · L1RSA private key in dist/.build/next/server/chunks/4010.js
dist/.build/next/server/chunks/4010.jsView on unpkg · L1Hardcoded password in dist/.build/next/static/chunks/app/forgot-password/page-2769208a6190f743.js
dist/.build/next/static/chunks/app/forgot-password/page-2769208a6190f743.jsView on unpkg · L1