Static Scan Results
scanned 2d ago · by rust-scannerStatic analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
2 flagged · loading sourcedist/pro/bind.jsView file
30}
L31: const mod = await import(pathToFileURL(entry).href).catch((err) => {
L32: app.log.warn({ err }, 'pro plugin present but failed to load — OSS mode');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/pro/bind.jsView on unpkg · L30dist/cli.jsView file
1#!/usr/bin/env node
L2: import { execFile, execFileSync } from 'node:child_process';
L3: import { mkdirSync } from 'node:fs';
...
L6: // ── tiny ANSI helpers (degrade gracefully when not a TTY) ──────────────────
L7: const useColor = process.stdout.isTTY && process.env.NO_COLOR === undefined;
L8: const paint = (code, s) => useColor ? `[${code}m${s}[0m` : s;
...
L80: Prerequisite (local mode):
L81: Requires the GitHub CLI (https://cli.github.com), authenticated via
L82: \`gh auth login\`. The dashboard reads your activity using your gh token.
...
L90: function openBrowser(url) {
L91: const platform = process.platform;
L92: const cmd = platform === 'darwin' ? 'open' : platform === 'win32' ? 'cmd' : 'xdg-open';
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/cli.jsView on unpkg · L1Findings
1 High4 Medium3 Low
HighSandbox Evasion Gated Capabilitydist/cli.js
MediumDynamic Requiredist/pro/bind.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings