Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/token-store.js#virtual:normalized:round1View file
14* service = "Claude Code-credentials"
L15: * account = current OS user (os.userInfo().username)
L16: * value = JSON: { mcpOAuth: { "<serverName>|<hash>": { accessToken, serverUrl, expiresAt? } } }
...
L23: */
L24: import { execFile } from 'node:child_process';
L25: import { promisify } from 'node:util';
...
L44: function adapterConfigDir() {
L45: return process.env.WALKTALK_CONFIG_DIR ?? join(homedir(), '.walktalk');
L46: }
...
L58: const raw = await readFile(adapterCredentialsPath(), 'utf8');
L59: const parsed = JSON.parse(raw);
L60: if (!parsed || typeof parsed.access_token !== 'string' || !parsed.access_token)
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/token-store.js#virtual:normalized:round1View on unpkg · L14Findings
1 High3 Medium5 Low
HighSandbox Evasion Gated Capabilitydist/token-store.js#virtual:normalized:round1
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings