Static Scan Results
scanned 11h ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcedist/analytics/telemetry-client.jsView file
14import { POSTHOG_API_KEY as BAKED_POSTHOG_KEY } from "./_generated-posthog-key.js";
L15: const DEFAULT_POSTHOG_HOST = "https://us.i.posthog.com";
L16: export class TelemetryClient {
...
L25: // Gate: respect DO_NOT_TRACK
L26: if (process.env.DO_NOT_TRACK === "1")
L27: return false;
L28: // Gate: auto-disable in CI
L29: if (process.env.CI === "true")
L30: return false;
...
L37: this.distinctId = createHash("sha256")
L38: .update(os.hostname() + projectRoot)
L39: .digest("hex")
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/analytics/telemetry-client.jsView on unpkg · L14Findings
1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/analytics/telemetry-client.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings