Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 8 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcebin/stacktora.jsView file
3'use strict';
L4: const fs = require('fs'), path = require('path');
L5:
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/stacktora.jsView on unpkg · L3engine.jsView file
9if (typeof global.window === 'undefined') global.window = { matchMedia: function () { return { matches: false, addEventListener: _noop }; }, scrollTo: _noop, addEventListener: _noo...
L10: if (typeof global.Alpine === 'undefined') global.Alpine = { data: _noop, store: _noop, start: _noop };
L11:
...
L188: { id:'Free', price:0, yr:0, tagline:'For individual developers getting started.',
L189: features:['1 private project','Public template gallery','Full generator & all output files','Latest version only'] },
L190: { id:'Pro', price:9, yr:90, popular:true, tagline:'For developers who live in their terminal.',
...
L214: { cat:'Configuring & outputs', q:'What does `make doctor` do?', a:'A preflight check: it verifies Docker is installed and running, Compose v2 is available, and that the host ports ...
L215: { cat:'Configuring & outputs', q:'Is there a CLI?', a:'Yes — <code>npx stacktora sync</code> regenerates your project\'s files locally from the <code>stacktora.json</code> recipe e...
L216: { cat:'Configuring & outputs', q:'Can CI check my stacktora.json without installing the CLI?', a:'Yes — <a href="https://github.com/stacktora/audit-action" target="_blank" rel="noo...
...
L4
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
engine.jsView on unpkg · L9Findings
1 Critical3 Medium4 Low
CriticalCredential Exfiltrationengine.js
MediumDynamic Requirebin/stacktora.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings