Static Scan Results
scanned 1d ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcedist/index.jsView file
2797import { Command as Command22 } from "commander";
L2798: import { execFileSync } from "child_process";
L2799:
High
2881try {
L2882: latest = execFileSync("npm", ["view", NPM_PACKAGE, "version"], { timeout: 1e4, shell: true }).toString().trim();
L2883: } catch {
High
3760if (opts.skill) touchCache(SKILL_CACHE_FILE);
L3761: spawn(process.execPath, [entryPath, REFRESH_COMMAND], {
L3762: detached: true,
...
L3766: env: {
L3767: ...process.env,
L3768: [ENV_REFRESH_CLI]: opts.cli ? "1" : "",
...
L3775: function refreshCliCache() {
L3776: return new Promise((resolve4) => {
L3777: execFile(
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L37602881try {
L2882: latest = execFileSync("npm", ["view", NPM_PACKAGE, "version"], { timeout: 1e4, shell: true }).toString().trim();
L2883: } catch {
L2884: console.error(`Could not reach npm to check for updates.`);
L2885: console.error(`Try manually: npm install -g ${NPM_PACKAGE}`);
L2886: process.exit(1);
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L2881Findings
4 High3 Medium5 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License