Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcelib/setup.jsView file
5const path = require('path')
L6: const { spawnSync } = require('child_process')
L7:
L8: const DEFAULT_URL = 'https://tokenfin.curiousdevs.com/api/mcp'
L9:
L10: const log = (m) => process.stdout.write(m + '\n')
L11: const die = (m) => { throw new Error(m) }
...
L13: function hasClaude() {
L14: const r = spawnSync('claude', ['--version'], { stdio: 'ignore', shell: process.platform === 'win32' })
L15: return !r.error && r.status === 0
...
L26: const onData = (chunk) => {
L27: const ch = chunk.toString('utf8')
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
lib/setup.jsView on unpkg · L5Findings
1 High3 Medium3 Low
HighSandbox Evasion Gated Capabilitylib/setup.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings