Static Scan Results
scanned 2d ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcedist/index.jsView file
2796import { Command as Command22 } from "commander";
L2797: import { execFileSync } from "child_process";
L2798:
High
2880try {
L2881: latest = execFileSync("npm", ["view", NPM_PACKAGE, "version"], { timeout: 1e4, shell: true }).toString().trim();
L2882: } catch {
High
3749if (opts.skill) touchCache(SKILL_CACHE_FILE);
L3750: spawn(process.execPath, [entryPath, REFRESH_COMMAND], {
L3751: detached: true,
...
L3755: env: {
L3756: ...process.env,
L3757: [ENV_REFRESH_CLI]: opts.cli ? "1" : "",
...
L3764: function refreshCliCache() {
L3765: return new Promise((resolve4) => {
L3766: execFile(
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L37492880try {
L2881: latest = execFileSync("npm", ["view", NPM_PACKAGE, "version"], { timeout: 1e4, shell: true }).toString().trim();
L2882: } catch {
L2883: console.error(`Could not reach npm to check for updates.`);
L2884: console.error(`Try manually: npm install -g ${NPM_PACKAGE}`);
L2885: process.exit(1);
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L2880Findings
4 High3 Medium5 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License