Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsTelemetryUrlStrings
Source & flagged code
5 flagged · loading sourcedist/lowlight-PGTWXTUQ.jsView file
724/** @param {string} s */
L725: exec(s) {
L726: this.matcherRe.lastIndex = this.lastIndex;
High
Child Process
Package source references child process execution.
dist/lowlight-PGTWXTUQ.jsView on unpkg · L72427377L27378: // ../../node_modules/.pnpm/highlight.js@11.11.1/node_modules/highlight.js/es/languages/powershell.js
L27379: function powershell(hljs) {
High
dist/index.jsView file
1806apiKeyFile: z.string().optional(),
L1807: baseUrl: z.string().url().optional()
L1808: }).strict();
...
L2329: import path4 from "path";
L2330: import { execFile, spawn } from "child_process";
L2331: import { spawn as spawn2 } from "child_process";
...
L3588: return content.startsWith('You are working on the following objective: "') && content.includes("\nCurrent task (") && content.includes(
L3589: "\nExecute this task using the available tools. Return a summary of what was done."
L3590: );
...
L13213: try {
L13214: const raw = fs.readFileSync(cachePath(), "utf8");
L13215: const parsed = JSON.parse(raw);
High
Remote Agent Bridge
Source exposes local file and command tools to a remote model endpoint.
dist/index.jsView on unpkg · L18062636"Never install system packages (apt, brew, yum, pip without --user, etc.) or browser drivers (playwright install-deps) autonomously \u2014 these modify state outside the project. I...
L2637: "When verifying a UI or server feature: check once whether a browser automation tool is available (e.g. `which chromium`, `node -e \"require('playwright')\"`). If unavailable, repo...
L2638: ].join("\n");
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L26361706updateCacheDirName: "terminuz",
L1707: repositoryUrl: "https://github.com/N1ghthill/terminuz",
L1708: legacy: {
...
L1733: };
L1734: function getProductEnv(preferred, legacy, env = process.env) {
L1735: return env[preferred] ?? env[legacy];
...
L1755: function getUserDataDir(appName) {
L1756: if (process.platform === "win32") {
L1757: return path3.join(process.env.APPDATA ?? os.homedir(), appName);
L1758: }
...
L1893: updatedAt: z.string(),
L1894: metadata: z.record(z.unknown()).default({})
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/index.jsView on unpkg · L1706Findings
3 High4 Medium6 Low
HighChild Processdist/lowlight-PGTWXTUQ.js
HighShelldist/lowlight-PGTWXTUQ.js
HighRemote Agent Bridgedist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings