Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
4 flagged · loading sourcedist/index.jsView file
9import { tmpdir as tmpdir3 } from "os";
L10: import { spawn } from "child_process";
L11:
High
10021daemonArgs.push(...target);
L10022: const daemonProcess = spawn("node", [binPath, ...daemonArgs], {
L10023: detached: true,
...
L10030: if (session) break;
L10031: await new Promise((resolve4) => setTimeout(resolve4, 100));
L10032: attempts++;
...
L10034: if (!session) {
L10035: process.stderr.write(
L10036: `Error: Failed to spawn background daemon for session "${sessionName}".
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L100212061const mxcModule = "@microsoft/mxc-sdk";
L2062: await import(mxcModule);
L2063: hasMxc = true;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L20614import { program } from "commander";
L5: import { createConnection, createServer } from "net";
L6: import { existsSync as existsSync6 } from "fs";
...
L9: import { tmpdir as tmpdir3 } from "os";
L10: import { spawn } from "child_process";
L11:
...
L19: function getConfigPaths() {
L20: const home = homedir();
L21: const cwd = process2.cwd();
...
L73: const content = await readFile(file, "utf8");
L74: const json = JSON.parse(content);
L75: let mcpServers;
Low
Findings
3 High4 Medium6 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings