Static Scan Results
scanned 2h ago · by rust-scannerStatic analysis flagged 4 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVars
UrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcebin/ygg.jsView file
14* YGG_NPM_SOURCE install source for uvx/pipx (default: "yggdrasil-memory").
L15: * Use a wheel path or "git+https://github.com/VonderVuflya/yggdrasil.git" to test.
L16: * YGG_NO_BOOTSTRAP set to "1" to never auto-install uv.
...
L18:
L19: const { spawnSync } = require('child_process');
L20: const os = require('os');
...
L22:
L23: const SOURCE = process.env.YGG_NPM_SOURCE || 'yggdrasil-memory';
L24: const args = process.argv.slice(2);
...
L38: if (process.env.YGG_NO_BOOTSTRAP === '1') return false;
L39: process.stderr.write(
L40: 'yggdrasil: uv not found — installing it once via https://astral.sh/uv ...\n'
High
Sandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/ygg.jsView on unpkg · L14Findings
1 High1 Medium2 Low
HighSandbox Evasion Gated Capabilitybin/ygg.js
MediumEnvironment Vars
LowUrl Strings
LowNo License