Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/update/index.jsView file
10import { join } from 'node:path';
L11: import { spawn } from 'node:child_process';
L12: import { confirm } from '@inquirer/prompts';
...
L18: const FETCH_TIMEOUT_MS = 1500;
L19: const NPM_REGISTRY = 'https://registry.npmjs.org/vexi-cli/latest';
L20: /** Returns true if version string `a` is strictly greater than `b`. */
...
L45: if (cacheRaw) {
L46: const cache = JSON.parse(cacheRaw);
L47: const age = Date.now() - new Date(cache.lastCheck).getTime();
...
L81: return new Promise((resolve) => {
L82: const cmd = process.platform === 'win32' ? 'npm.cmd' : 'npm';
L83: const child = spawn(cmd, args, { stdio: 'inherit' });
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/update/index.jsView on unpkg · L10Findings
1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/update/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings