Static Scan Results
scanned 3h ago · by rust-scannerStatic analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcesrc/main.jsView file
1const { spawnSync } = require("node:child_process");
L2: const fs = require("node:fs/promises");
High
1const { spawnSync } = require("node:child_process");
L2: const fs = require("node:fs/promises");
...
L6:
L7: const API_BASE_URL = "https://api.aiphui.top/v1";
L8: const DEFAULT_MODEL = "gpt-image-2-4K";
...
L11:
L12: function configPath(homeDirectory = process.env.HOME || process.env.USERPROFILE) {
L13: return path.join(homeDirectory, ".xingren-image-mcp", "config.json");
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
src/main.jsView on unpkg · L188await setup();
L89: const existing = spawnSync("codex", ["mcp", "remove", "xingren-image"], { encoding: "utf8" });
L90: if (existing.error) {
L91: throw new Error("令牌已保存,但没有找到 Codex 命令。请先安装 Codex CLI,或在 Codex 桌面端“设置 → MCP servers”中添加:npx -y xingren-codex-image-mcp");
L92: }
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
src/main.jsView on unpkg · L88Findings
3 High3 Medium5 Low
HighChild Processsrc/main.js
HighSame File Env Network Executionsrc/main.js
HighRuntime Package Installsrc/main.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License