registry  /  squirrelscan  /  0.0.62

squirrelscan@0.0.62

Website audit tool built for AI agents. 240+ SEO, performance & security rules from the CLI, your coding agent, the cloud, or MCP.

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
Manifest
NoLicense
scanned 3 file(s), 10.9 KB of source, external domains: api.github.com, github.com, squirrelscan.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/squirrel.jsView file
7L8: const { spawnSync } = require("child_process"); L9: const path = require("path"); ... L13: // Native install locations (checked first) + npm package fallback (checked last) L14: const homeDir = os.homedir(); L15: const isWindows = process.platform === "win32"; L16: const ext = isWindows ? ".exe" : ""; ... L52: console.error("Or install directly:"); L53: console.error(" curl -fsSL https://squirrelscan.com/install | bash"); L54: process.exit(1);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/squirrel.jsView on unpkg · L7
scripts/postinstall.jsView file
11L12: const https = require("https"); L13: const fs = require("fs"); ... L15: const crypto = require("crypto"); L16: const { spawnSync } = require("child_process"); L17: const { getPlatform, getBinaryExtension } = require("../lib/platform"); ... L21: // Colors for terminal output L22: const supportsColor = process.stdout.isTTY; L23: const green = (s) => (supportsColor ? `\x1b[32m${s}\x1b[0m` : s); ... L52: res.on("data", (chunk) => chunks.push(chunk)); L53: res.on("end", () => resolve({ data: Buffer.concat(chunks), statusCode: res.statusCode })); L54: res.on("error", reject);
High
Install Named Payload File

Install-named source file stages remote content through filesystem writes and execution.

scripts/postinstall.jsView on unpkg · L11

Findings

3 High4 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitybin/squirrel.js
HighInstall Named Payload Filescripts/postinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License