Static Scan Results
scanned 1d ago · by rust-scannerStatic analysis flagged 11 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsMinifiedObfuscatedUrlStrings
Source & flagged code
3 flagged · loading sourcedist/transcript-anchors-BTNe1OJi.jsView file
19import { readdir, stat, writeFile } from "node:fs/promises";
L20: import { spawn } from "node:child_process";
L21: import { homedir, tmpdir } from "node:os";
L22: import { createHash } from "node:crypto";
L23: import { createGunzip } from "node:zlib";
L24: import { createContext, useCallback, useContext, useEffect, useMemo, useRef, useState } from "react";
...
L64: * doesn't take down the entire picker. Failed rows are silently skipped;
L65: * a stderr line is emitted under `ZIDANE_DEBUG` for diagnosis.
L66: */
...
L78: } catch (err) {
L79: if (process.env.ZIDANE_DEBUG) {
L80: const cause = err instanceof Error ? err.message : String(err);
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/transcript-anchors-BTNe1OJi.jsView on unpkg · L19dist/auth-B3cB5K6d.jsView file
14import { randomBytes } from "node:crypto";
L15: import { createServer } from "node:http";
L16: import { getBuiltinModel, getBuiltinModels } from "@earendil-works/pi-ai/providers/all";
...
L18: //#region src/chat/oauth-page/server.ts
L19: const CALLBACK_HOST = process.env.PI_OAUTH_CALLBACK_HOST || "127.0.0.1";
L20: function buildRequestHandler(opts, pending) {
...
L43: res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
L44: res.end(opts.renderPage({
L45: kind: "success",
...
L121: //#region src/chat/oauth-page/anthropic.ts
L122: const CLIENT_ID$1 = atob("[redacted]");
L123: const AUTHORIZE_URL$1 = "https://claude.ai/oauth/authorize";
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/auth-B3cB5K6d.jsView on unpkg · L1414Trigger-reachable chain: manifest.exports -> dist/chat.js -> dist/auth-B3cB5K6d.js
L14: import { randomBytes } from "node:crypto";
L15: import { createServer } from "node:http";
L16: import { getBuiltinModel, getBuiltinModels } from "@earendil-works/pi-ai/providers/all";
...
L18: //#region src/chat/oauth-page/server.ts
L19: const CALLBACK_HOST = process.env.PI_OAUTH_CALLBACK_HOST || "127.0.0.1";
L20: function buildRequestHandler(opts, pending) {
...
L43: res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
L44: res.end(opts.renderPage({
L45: kind: "success",
...
L121: //#region src/chat/oauth-page/anthropic.ts
L122: const CLIENT_ID$1 = atob("[redacted]");
L123: const AUTHORIZE_URL$1 = "https://claude.ai/oauth/authorize";
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/auth-B3cB5K6d.jsView on unpkg · L14Findings
2 Critical3 Medium6 Low
CriticalCredential Exfiltrationdist/auth-B3cB5K6d.js
CriticalTrigger Reachable Dangerous Capabilitydist/auth-B3cB5K6d.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/transcript-anchors-BTNe1OJi.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings