Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 38 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Decision evidence
public snapshotSource & flagged code
29 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
dist/.build/next/server/chunks/_1dk29hl._.jsView on unpkg · L1RSA private key in dist/.build/next/server/chunks/_1dk29hl._.js
dist/.build/next/server/chunks/_1dk29hl._.jsView on unpkg · L1Package source references child process execution.
bin/cli/runtime/nativeDeps.mjsView on unpkg · L10Package source references a known benign dynamic code generation pattern.
open-sse/mcp-server/tools/githubSkillTools.tsView on unpkg · L123Manifest entrypoint contains risky behavior absent from dist/build output.
bin/omniroute.mjsView on unpkg · L29Package source references dynamic require/import behavior.
bin/omniroute.mjsView on unpkg · L25Package source executes code through a VM context API.
open-sse/executors/duckduckgo-web/challenge.tsView on unpkg · L59Package source references weak cryptographic algorithms.
dist/responses-ws-proxy.mjsView on unpkg · L2Source writes installer persistence such as shell profile or service configuration.
bin/cli/tray/autostart.mjsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/cli/commands/launch-codex.mjsView on unpkg · L1Source reaches cloud instance metadata or link-local credential endpoints.
src/shared/constants/featureFlagDefinitions.tsView on unpkg · L87Package source invokes a package manager install command at runtime.
bin/cli/runtime/trayRuntime.tsView on unpkg · L3Package ships non-JavaScript build or shell helper files.
bin/cli/tray/tray.ps1View on unpkgPackage ships high-entropy non-source blobs.
dist/.build/next/static/media/83afe278b6a6bb3c-s.p.2bn3s6zvc0dyp.woff2View on unpkgPackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
dist/.build/next/server/chunks/open-sse_services_compression_stats_ts_0hht9y-._.jsView on unpkgPackage contains source files above the static scanner size ceiling.
dist/.build/next/server/chunks/open-sse_services_compression_stats_ts_0hht9y-._.jsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/cli/commands/serve.mjsView on unpkgRSA private key in dist/.build/next/server/chunks/_0tvn_nr._.js
dist/.build/next/server/chunks/_0tvn_nr._.jsView on unpkg · L1RSA private key in dist/.build/next/server/chunks/_1j0tmdv._.js
dist/.build/next/server/chunks/_1j0tmdv._.jsView on unpkg · L1RSA private key in dist/.build/next/server/chunks/_1d-wur6._.js
dist/.build/next/server/chunks/_1d-wur6._.jsView on unpkg · L1Hardcoded password in dist/.build/next/server/chunks/ssr/[root-of-the-server]__1pi-w2m._.js
dist/.build/next/server/chunks/ssr/[root-of-the-server]__1pi-w2m._.jsView on unpkg · L1RSA private key in dist/.build/next/server/chunks/_0wfx9f7._.js
dist/.build/next/server/chunks/_0wfx9f7._.jsView on unpkg · L289RSA private key in dist/.build/next/server/chunks/node_modules_168ft1t._.js
dist/.build/next/server/chunks/node_modules_168ft1t._.jsView on unpkg · L2RSA private key in dist/.build/next/server/chunks/_0t-w889._.js
dist/.build/next/server/chunks/_0t-w889._.jsView on unpkg · L289Hardcoded password in dist/.build/next/static/chunks/2_1a0_jcf29gc.js
dist/.build/next/static/chunks/2_1a0_jcf29gc.jsView on unpkg · L1