Cargo · crates.io
pmat
Rs Build Time Command Combo: Process spawn (std::process::Command) paired with network / base64 / env-token read at build time.
Why PkgRadar flagged 3.18.0
| Severity | Signal | Evidence |
|---|---|---|
| high | Rs Build Time Command Combo | Process spawn (std::process::Command) paired with network / base64 / env-token read at build time. · pmat-3.18.0/build.rs |
| high | Rs Build Time Network | HTTP / TCP network call inside build.rs — downloads at compile time. · pmat-3.18.0/build.rs |
| medium | Remote Payload | matched "curl " · pmat-3.18.0/src/agents_md/executor/safety.rs |
| medium | Remote Payload | matched "curl " · pmat-3.18.0/src/agents_md/executor/tests.rs |
| medium | Remote Payload | matched "raw.githubusercontent.com" · pmat-3.18.0/src/cli/analysis/defect_prediction/output_formats.rs |
| medium | Remote Payload | matched "raw.githubusercontent.com" · pmat-3.18.0/src/cli/analysis_utilities/incremental_coverage_formatters.rs |
| medium | Remote Payload | matched "raw.githubusercontent.com" · pmat-3.18.0/src/cli/analysis_utilities/makefile.rs |
| medium | Remote Payload | matched "raw.githubusercontent.com" · pmat-3.18.0/src/cli/analysis_utilities/tdg_formatting.rs |
| medium | Remote Payload | matched "raw.githubusercontent.com" · pmat-3.18.0/src/cli/defect_formatter.rs |
| medium | Remote Payload | matched "raw.githubusercontent.com" · pmat-3.18.0/src/cli/defect_helpers/format_sarif.rs |
| medium | Remote Payload | matched "raw.githubusercontent.com" · pmat-3.18.0/src/cli/defect_prediction_formatters.rs |
| medium | Remote Payload | matched "raw.githubusercontent.com" · pmat-3.18.0/src/cli/handlers/complexity_handlers/output.rs |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
3.18.0 | High risk | 143 | 2026-06-11 |
Block this in CI
pkgradar gate --ecosystem cargo [email protected]