Static Scan Results
scanned 14d ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystem
HighEntropyStrings
Source & flagged code
4 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node dist/postinstall.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node dist/postinstall.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgdist/core/openspecGate.jsView file
9exports.checkP0AcMappedInChange = checkP0AcMappedInChange;
L10: const child_process_1 = require("child_process");
L11: const promises_1 = __importDefault(require("fs/promises"));
High
Child Process
Package source references child process execution.
dist/core/openspecGate.jsView on unpkg · L9dist/core/opsxDelivery.jsView file
177const openspecOk = hasCommand("openspec") ||
L178: (0, child_process_1.spawnSync)("npx", ["openspec", "--version"], { stdio: "ignore", cwd: root }).status === 0;
L179: checks.push({
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/core/opsxDelivery.jsView on unpkg · L177Findings
3 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/core/openspecGate.js
HighRuntime Package Installdist/core/opsxDelivery.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings