Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcesrc/mcp.mjsView file
2// wrapped: a broken agent CLI downgrades to a printed hint, never a crash.
L3: import { spawnSync } from "node:child_process";
L4: import { color, info, ok, warn, fail } from "./ui.mjs";
L5:
L6: const MCP_URL = "https://tinyposter.app/api/mcp";
L7:
L8: function runCli(cmd, args, { timeout = 60000, inherit = false } = {}) {
L9: const isWin = process.platform === "win32";
L10: try {
...
L17: if (res.error) return { ok: false, out: "", detail: res.error.message };
L18: const out = `${res.stdout || ""}\n${res.stderr || ""}`;
L19: const lastLine = (res.stderr || res.stdout || "").trim().split("\n").pop() || "";
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/mcp.mjsView on unpkg · L2Findings
1 High3 Medium3 Low
HighSandbox Evasion Gated Capabilitysrc/mcp.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings