Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis completed at 65.0% confidence. No malicious behavior was detected; 9 low-signal pattern(s) were surfaced and cleared.
Static reason
No blocking static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/worker.jsView file
1import { execFile } from "node:child_process";
L2: import { existsSync } from "node:fs";
High
9// Own the timeout instead of using execFile's: with shell:true the direct child is
L10: // cmd.exe/sh, and on Windows killing only it orphans the actual agent — which keeps
L11: // editing files after our git reset and holds the stdio pipes open (so the callback
High
dist/index.jsView file
2768server.on("close", () => service.store.close());
L2769: log(`Tower listening on http://${host}:${port}/mcp${token ? " (token required)" : ""}`);
L2770: log(`Live board: http://${host}:${port}/board`);
...
L2779: }
L2780: function gitDefaults(cwd, env = process.env) {
L2781: const git = (cmd) => {
L2782: try {
L2783: return execSync(cmd, { cwd, stdio: ["ignore", "pipe", "ignore"] }).toString().trim();
L2784: } catch {
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L2768Findings
3 High2 Medium4 Low
HighChild Processdist/worker.js
HighShelldist/worker.js
HighSame File Env Network Executiondist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings