Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 4 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVars
UrlStrings
Source & flagged code
1 flagged · loading sourcebin/qualitymd.jsView file
7L8: const { spawnSync } = require("node:child_process");
L9:
L10: const isMusl =
L11: process.platform === "linux" &&
L12: !process.report?.getReport?.().header?.glibcVersionRuntime;
...
L24: `--no-optional, reinstall without it, or use the managed installer:\n` +
L25: ` curl -fsSL https://getquality.md/install.sh | sh`,
L26: );
...
L29:
L30: const env = { ...process.env, QUALITYMD_INSTALL_METHOD: "npm" };
L31: const result = spawnSync(binary, process.argv.slice(2), { stdio: "inherit", env });
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/qualitymd.jsView on unpkg · L7Findings
1 High1 Medium2 Low
HighSandbox Evasion Gated Capabilitybin/qualitymd.js
MediumEnvironment Vars
LowScripts Present
LowUrl Strings