registry  /  practicode  /  0.2.3

practicode@0.2.3

Offline-first programming language lessons and coding practice in a Rust terminal UI.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 12.6 KB of source, external domains: docs.docker.com, github.com

Source & flagged code

2 flagged · loading source
bin/practicode.jsView file
2L3: const { main } = require("./launcher.js"); L4:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/practicode.jsView on unpkg · L2
bin/launcher.jsView file
1const { spawnSync } = require("node:child_process"); L2: const { createHash, randomBytes } = require("node:crypto"); ... L15: } = require("node:fs"); L16: const http = require("node:http"); L17: const https = require("node:https"); ... L47: L48: function cacheDirectory(env = process.env, platform = process.platform, home = homedir()) { L49: if (env.PRACTICODE_CACHE_DIR) return path.resolve(env.PRACTICODE_CACHE_DIR); ... L126: } L127: return Buffer.concat(chunks).toString("utf8"); L128: } ... L349: async function main(args, root = path.resolve(__dirname, "..")) {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/launcher.jsView on unpkg · L1

Findings

1 High4 Medium3 Low
HighSandbox Evasion Gated Capabilitybin/launcher.js
MediumDynamic Requirebin/practicode.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings