Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 5 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcess
UrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcebin/opendmo.jsView file
4// see LICENSE); this shim is the only JavaScript in the opendmo package.
L5: const { spawnSync } = require("node:child_process");
L6: const { dirname, join } = require("node:path");
...
L11:
L12: const key = process.platform + "-" + process.arch;
L13: const packageName = PLATFORM_PACKAGES[key];
...
L20: try {
L21: packageJsonPath = require.resolve(packageName + "/package.json");
L22: } catch {
...
L25: "Reinstall with: npm i -g opendmo\n" +
L26: "or use the installer: curl -fsSL https://cdn.jsdelivr.net/npm/opendmo/install.sh | bash",
L27: );
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/opendmo.jsView on unpkg · L4install.shView file
•path = install.sh
kind = build_helper
sizeBytes = 7480
magicHex = [redacted]
Medium
Findings
1 High2 Medium2 Low
HighSandbox Evasion Gated Capabilitybin/opendmo.js
MediumShips Build Helperinstall.sh
MediumStructural Risk Force Deep Review
LowUrl Strings
LowNo License