Static Scan Results
scanned 2d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedObfuscatedUrlStrings
Source & flagged code
3 flagged · loading sourcedist/transcript-anchors-DSRPWjiH.jsView file
19import { readdir, stat, writeFile } from "node:fs/promises";
L20: import { spawn } from "node:child_process";
L21: import { homedir, tmpdir } from "node:os";
L22: import { createHash } from "node:crypto";
L23: import { createGunzip } from "node:zlib";
L24: import { createContext, useCallback, useContext, useEffect, useMemo, useRef, useState } from "react";
...
L64: * doesn't take down the entire picker. Failed rows are silently skipped;
L65: * a stderr line is emitted under `ZIDANE_DEBUG` for diagnosis.
L66: */
...
L85: if (result.status === "fulfilled" && result.value) metas.push(result.value);
L86: else if (result.status === "rejected" && process.env.ZIDANE_DEBUG) {
L87: const cause = result.reason instanceof Error ? result.reason.message : String(result.reason);
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/transcript-anchors-DSRPWjiH.jsView on unpkg · L19dist/auth-BDSu_0t3.jsView file
14import { randomBytes } from "node:crypto";
L15: import { createServer } from "node:http";
L16: import { getModel, getModels } from "@earendil-works/pi-ai";
...
L18: //#region src/chat/oauth-page/server.ts
L19: const CALLBACK_HOST = process.env.PI_OAUTH_CALLBACK_HOST || "127.0.0.1";
L20: function buildRequestHandler(opts, pending) {
...
L43: res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
L44: res.end(opts.renderPage({
L45: kind: "success",
...
L121: //#region src/chat/oauth-page/anthropic.ts
L122: const CLIENT_ID$1 = atob("[redacted]");
L123: const AUTHORIZE_URL$1 = "https://claude.ai/oauth/authorize";
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/auth-BDSu_0t3.jsView on unpkg · L1414Trigger-reachable chain: manifest.exports -> dist/chat.js -> dist/auth-BDSu_0t3.js
L14: import { randomBytes } from "node:crypto";
L15: import { createServer } from "node:http";
L16: import { getModel, getModels } from "@earendil-works/pi-ai";
...
L18: //#region src/chat/oauth-page/server.ts
L19: const CALLBACK_HOST = process.env.PI_OAUTH_CALLBACK_HOST || "127.0.0.1";
L20: function buildRequestHandler(opts, pending) {
...
L43: res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
L44: res.end(opts.renderPage({
L45: kind: "success",
...
L121: //#region src/chat/oauth-page/anthropic.ts
L122: const CLIENT_ID$1 = atob("[redacted]");
L123: const AUTHORIZE_URL$1 = "https://claude.ai/oauth/authorize";
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/auth-BDSu_0t3.jsView on unpkg · L14Findings
2 Critical3 Medium6 Low
CriticalCredential Exfiltrationdist/auth-BDSu_0t3.js
CriticalTrigger Reachable Dangerous Capabilitydist/auth-BDSu_0t3.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/transcript-anchors-DSRPWjiH.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings