Static Scan Results
scanned 11d ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsTelemetryUrlStrings
Source & flagged code
4 flagged · loading sourcepackages/dashboard/server/executor.jsView file
1import { spawn } from 'child_process'
L2:
High
Child Process
Package source references child process execution.
packages/dashboard/server/executor.jsView on unpkg · L112const args = String(command || '').trim().split(/\s+/).filter(Boolean)
L13: const proc = spawn('npx', ['sillyspec', ...args], {
L14: cwd: projectPath,
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
packages/dashboard/server/executor.jsView on unpkg · L12src/worktree-deps.jsView file
112if (process.platform === 'win32') {
L113: execSync(`mklink /J "${linkPath}" "${mainNodeModules}"`, { shell: 'cmd.exe', stdio: ['pipe', 'pipe', 'pipe'] });
L114: return { ok: true, method: 'junction' };
High
src/stages/execute.jsView file
298\`\`\`bash
L299: node -e "import('./src/worktree.js').then(w => { const wm = new w.WorktreeManager(); const m = wm.getMeta('<change-name>'); console.log(m ? JSON.stringify({mode: m.mode, path: m.wo...
L300: \`\`\`
Medium
Dynamic Require
Package source references dynamic require/import behavior.
src/stages/execute.jsView on unpkg · L298Findings
3 High4 Medium5 Low
HighChild Processpackages/dashboard/server/executor.js
HighShellsrc/worktree-deps.js
HighRuntime Package Installpackages/dashboard/server/executor.js
MediumDynamic Requiresrc/stages/execute.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings