Static Scan Results
scanned 3d ago · by rust-scannerStatic analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcedist/cli/updater.jsView file
18import { createRequire } from 'node:module';
L19: import { spawn } from 'node:child_process';
L20: import path from 'node:path';
High
Child Process
Package source references child process execution.
dist/cli/updater.jsView on unpkg · L18126* On Windows, `spawn('npm', ...)` fails with ENOENT because npm is a .cmd
L127: * shim — `shell: true` lets the shell resolve the extension.
L128: */
High
bin/zelari-code.jsView file
21L22: const require = createRequire(import.meta.url);
L23: const __dirname = path.dirname(fileURLToPath(import.meta.url));
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/zelari-code.jsView on unpkg · L21dist/cli/main.bundled.jsView file
250async function openBrowser(url2) {
L251: const { spawn: spawn3 } = await import("node:child_process");
L252: const cmd = (() => {
...
L376: try {
L377: const raw = readFileSync(file2, "utf-8");
L378: const parsed = JSON.parse(raw);
...
L499: { id: "openai-compatible", displayName: "OpenAI-compatible", envVar: "OPENAI_API_KEY" },
L500: { id: "minimax", displayName: "MiniMax", envVar: "MINIMAX_API_KEY", baseUrl: "https://api.MiniMax.chat/v1" },
L501: { id: "glm", displayName: "GLM / Z.AI", envVar: "GLM_API_KEY", baseUrl: "https://api.z.ai/v1" },
...
L5275: - Prefer to consolidate related actions into a single tools block at the end of your response.
L5276: - Never invent tool names \u2014 use only the tools listed in your AVAILABLE TOOLS section.
L5277: - After creating artifacts via tools, briefly name what you created so downstream agents can build on it without re-querying.`
High
Remote Agent Bridge
Source exposes local file and command tools to a remote model endpoint.
dist/cli/main.bundled.jsView on unpkg · L250Findings
3 High4 Medium6 Low
HighChild Processdist/cli/updater.js
HighShelldist/cli/updater.js
HighRemote Agent Bridgedist/cli/main.bundled.js
MediumDynamic Requirebin/zelari-code.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License