Static Scan Results
scanned 3d ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcedist/index.jsView file
2750import { Command as Command21 } from "commander";
L2751: import { execFileSync } from "child_process";
L2752:
High
2834try {
L2835: latest = execFileSync("npm", ["view", NPM_PACKAGE, "version"], { timeout: 1e4, shell: true }).toString().trim();
L2836: } catch {
High
3677if (opts.skill) touchCache(SKILL_CACHE_FILE);
L3678: spawn(process.execPath, [entryPath, REFRESH_COMMAND], {
L3679: detached: true,
...
L3683: env: {
L3684: ...process.env,
L3685: [ENV_REFRESH_CLI]: opts.cli ? "1" : "",
...
L3692: function refreshCliCache() {
L3693: return new Promise((resolve4) => {
L3694: execFile(
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L36772834try {
L2835: latest = execFileSync("npm", ["view", NPM_PACKAGE, "version"], { timeout: 1e4, shell: true }).toString().trim();
L2836: } catch {
L2837: console.error(`Could not reach npm to check for updates.`);
L2838: console.error(`Try manually: npm install -g ${NPM_PACKAGE}`);
L2839: process.exit(1);
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L2834Findings
4 High3 Medium5 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License