Static Scan Results
scanned 14d ago · by rust-scannerStatic analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
CopyleftLicense
Source & flagged code
4 flagged · loading sourcedist/services/agent/AgentCore.jsView file
101// Use eval to prevent TypeScript from transforming to require()
L102: const claudeSDK = await eval("import('@anthropic-ai/claude-agent-sdk')");
L103: // Wrap with Context Company observability when TCC_API_KEY is configured
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/services/agent/AgentCore.jsView on unpkg · L101bin/rivet.jsView file
4L5: const fs = require('fs');
L6: const path = require('path');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/rivet.jsView on unpkg · L4src/ui/dist/favicon.icoView file
•path = src/ui/dist/favicon.ico
kind = high_entropy_blob
sizeBytes = 4820
magicHex = [redacted]
High
Ships High Entropy Blob
Package ships high-entropy non-source blobs.
src/ui/dist/favicon.icoView on unpkgdist/mcp/server.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = rivet-design@0.11.17
matchedIdentity = npm:cml2ZXQtZGVzaWdu:0.11.17
similarity = 0.867
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/mcp/server.jsView on unpkgFindings
1 Critical1 High4 Medium9 Low
CriticalPrevious Version Dangerous Deltadist/mcp/server.js
HighShips High Entropy Blobsrc/ui/dist/favicon.ico
MediumDynamic Requirebin/rivet.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/services/agent/AgentCore.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License