Static Scan Results
scanned 7d ago · by rust-scannerStatic analysis flagged 26 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Decision evidence
public snapshotSource & flagged code
17 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgPackage text addresses the security reviewer or scanner and tries to influence the review outcome.
README.mdView on unpkgPackage contains a critical-looking secret pattern.
dist/defence/sensitivity/patterns.jsView on unpkg · L25RSA private key in dist/defence/sensitivity/patterns.js
dist/defence/sensitivity/patterns.jsView on unpkg · L25EC private key in dist/defence/sensitivity/patterns.js
dist/defence/sensitivity/patterns.jsView on unpkg · L26RSA private key in dist/defence/sensitivity/patterns.js
dist/defence/sensitivity/patterns.jsView on unpkg · L28Package source references child process execution.
dist/database/init.jsView on unpkg · L8Package source references a known benign dynamic code generation pattern.
dist/xray/patterns.jsView on unpkg · L19Package source references dynamic require/import behavior.
dist/database/better-sqlite3-guard.jsView on unpkg · L18Package source references weak cryptographic algorithms.
hooks/openclaw/cortex-memory/handler.tsView on unpkg · L53Source writes installer persistence such as shell profile or service configuration.
dist/setup/deep-clean.jsView on unpkg · L19A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L331Package ships high-entropy non-source blobs.
dashboard/.next/standalone/dashboard/.next/server/app/apple-icon.png.bodyView on unpkgPackage hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.
dashboard/.next/standalone/dashboard/.next/server/app/apple-icon.png.bodyView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/defence/skill-scanner/patterns.jsView on unpkg