Static Scan Results
scanned 8h ago · by rust-scannerStatic analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
2 flagged · loading sourcedist/lib/deploy.jsView file
8// `stream: true` for live output.
L9: import { spawnSync } from "node:child_process";
L10: import { existsSync, readdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
High
dist/mcp.jsView file
252case "check_errors": {
L253: const r = spawnSync("npx", ["tsc", "--noEmit"], { cwd: process.cwd(), encoding: "utf-8" });
L254: const out = (r.stdout || "") + (r.stderr || "");
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/mcp.jsView on unpkg · L252Findings
3 High3 Medium6 Low
HighChild Processdist/lib/deploy.js
HighShell
HighRuntime Package Installdist/mcp.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License