Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ./scripts/npm/install-release.mjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgscripts/npm/cli-path.mjsView file
4import path from "node:path";
L5: import { spawnSync } from "node:child_process";
L6: import { fileURLToPath } from "node:url";
...
L14:
L15: function executableName(name, platform = process.platform) {
L16: return platform === "win32" ? `${name}.exe` : name;
...
L32:
L33: export function cliPathRegistrationSkipped(env = process.env) {
L34: return (
...
L62: function posixHome() {
L63: return process.env.HOME || homedir();
L64: }
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
scripts/npm/cli-path.mjsView on unpkg · L4Findings
1 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencescripts/npm/cli-path.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License