Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessFilesystemNetworkShellWebSocket
HighEntropyStringsMinifiedUrlStrings
Source & flagged code
3 flagged · loading sourcebin/tina4.jsView file
16import path from 'node:path';
L17: import { execSync } from 'node:child_process';
L18: import { fileURLToPath } from 'node:url';
High
16Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network, execution+network
L16: import path from 'node:path';
L17: import { execSync } from 'node:child_process';
L18: import { fileURLToPath } from 'node:url';
...
L20: const __filename = fileURLToPath(import.meta.url);
L21: const __dirname = path.dirname(__filename);
L22:
...
L87:
L88: // ── package.json ──────────────────────────────────────────────
L89:
...
L136: // Proxy API calls to tina4-php/python backend in dev
L137: // proxy: { '/api': 'http://localhost:7145' },
L138: },
High
Entrypoint Build Divergence
Manifest entrypoint contains risky behavior absent from dist/build output.
bin/tina4.jsView on unpkg · L166* Usage:
L7: * npx tina4js create <name> Scaffold a new project
L8: * npx tina4js create <name> --pwa Include PWA support
...
L16: import path from 'node:path';
L17: import { execSync } from 'node:child_process';
L18: import { fileURLToPath } from 'node:url';
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
bin/tina4.jsView on unpkg · L6Findings
4 High2 Medium4 Low
HighChild Processbin/tina4.js
HighShell
HighEntrypoint Build Divergencebin/tina4.js
HighRuntime Package Installbin/tina4.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings