Static Scan Results
scanned 6d ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/token-goat.mjsView file
42L43: // <define:import.meta.env>
L44: var init_define_import_meta_env = __esm({
...
L55: * Constructs the CommanderError class
L56: * @param {number} exitCode suggested exit code which could be used with process.exit
L57: * @param {string} code an id string representing the error
...
L986: var EventEmitter = __require("node:events").EventEmitter;
L987: var childProcess = __require("node:child_process");
L988: var path42 = __require("node:path");
...
L1035: this._outputConfiguration = {
L1036: writeOut: (str) => process2.stdout.write(str),
L1037: writeErr: (str) => process2.stderr.write(str),
High
Cloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
dist/token-goat.mjsView on unpkg · L422import { createRequire as __cjsRequire } from 'node:module';
L3: const require = __cjsRequire(import.meta.url);
L4: var __create = Object.create;
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/token-goat.mjsView on unpkg · L2Findings
1 High4 Medium4 Low
HighCloud Metadata Accessdist/token-goat.mjs
MediumDynamic Requiredist/token-goat.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings