registry  /  tracker-bridge  /  1.4.0

tracker-bridge@1.4.0

Tracker Bridge — local save finder for The Tower Run Tracker (emulator, USB, Mac)

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 8 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 80.3 KB of source, external domains: dl.google.com, www.apple.com, www.npmjs.com

Source & flagged code

2 flagged · loading source
adb-path.mjsView file
4L5: const pathEntrySep = process.platform === 'win32' ? ';' : ':' L6: ... L22: L23: export function isDirectoryOnPath(dirPath, pathValue = process.env.PATH ?? '') { L24: const normalized = path.normalize(dirPath) ... L53: if (process.platform === 'darwin') { L54: return persistUnixShellPath(normalized, ['.zprofile', '.zshrc', '.bash_profile', '.bashrc']) L55: } ... L59: async function persistWindowsUserPath(dirPath) { L60: const { execFile } = await import('node:child_process') L61: const { promisify } = await import('node:util')
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

adb-path.mjsView on unpkg · L4
platform-tools-install.mjsView file
1import { execFile, spawn } from 'node:child_process' L2: import fs from 'node:fs' ... L10: L11: const PLATFORM_TOOLS_BASE = 'https://dl.google.com/android/repository' L12: const DOWNLOAD_URLS = { ... L18: export function bundledPlatformToolsRoot() { L19: return path.join(os.homedir(), '.local-adb-bridge', 'platform-tools') L20: } ... L23: const root = bundledPlatformToolsRoot() L24: return path.join(root, 'platform-tools', process.platform === 'win32' ? 'adb.exe' : 'adb') L25: } ... L67: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

platform-tools-install.mjsView on unpkg · L1

Findings

1 High4 Medium3 Low
HighSandbox Evasion Gated Capabilityplatform-tools-install.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistenceadb-path.mjs
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings