Static Scan Results
scanned 2d ago · by rust-scannerStatic analysis flagged 23 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Decision evidence
public snapshotSource & flagged code
14 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage contains a critical-looking secret pattern.
clis/douyin/_shared/tos-upload-short-read.test.jsView on unpkg · L47AWS access key ID in clis/douyin/_shared/tos-upload-short-read.test.js
clis/douyin/_shared/tos-upload-short-read.test.jsView on unpkg · L47AWS access key ID in clis/douyin/_shared/tos-upload-short-read.test.js
clis/douyin/_shared/tos-upload-short-read.test.jsView on unpkg · L67Package source references a known benign dynamic code generation pattern.
dist/src/weixin-download.test.jsView on unpkg · L22Package source references dynamic require/import behavior.
dist/src/discovery.jsView on unpkg · L181Package source executes code through a VM context API.
clis/douban/utils.test.jsView on unpkg · L109Package source references weak cryptographic algorithms.
clis/flomo/memos.jsView on unpkg · L76Source writes installer persistence such as shell profile or service configuration.
scripts/postinstall.jsView on unpkg · L7Package ships non-JavaScript build or shell helper files.
scripts/check-doc-coverage.shView on unpkgHardcoded password in dist/src/observation/redaction.test.js
dist/src/observation/redaction.test.jsView on unpkg · L28AWS access key ID in clis/douyin/_shared/tos-upload.test.js
clis/douyin/_shared/tos-upload.test.jsView on unpkg · L149AWS access key ID in clis/douyin/_shared/tos-upload.test.js
clis/douyin/_shared/tos-upload.test.jsView on unpkg · L166