registry  /  practicode  /  0.1.19

practicode@0.1.19

Local-first coding-test practice in a Rust terminal UI with optional AI help.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystem
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 4.49 KB of source, external domains: docs.docker.com, sh.rustup.rs, www.rust-lang.org

Source & flagged code

2 flagged · loading source
bin/practicode.jsView file
2L3: const { spawnSync } = require("node:child_process"); L4: const { existsSync } = require("node:fs"); ... L6: L7: const root = path.resolve(__dirname, ".."); L8: const packageJson = require(path.join(root, "package.json")); L9: const dockerImage = `practicode-sandbox:${packageJson.version}`; ... L13: "release", L14: process.platform === "win32" ? "practicode.exe" : "practicode", L15: ); ... L22: if (process.platform === "darwin") { L23: return "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/practicode.jsView on unpkg · L2
2L3: const { spawnSync } = require("node:child_process"); L4: const { existsSync } = require("node:fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/practicode.jsView on unpkg · L2

Findings

1 High3 Medium3 Low
HighSandbox Evasion Gated Capabilitybin/practicode.js
MediumDynamic Requirebin/practicode.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings