drop /var/lib/snapd · parse installed snaps + revisions + interfaces · runs locally
flags classic confinement · sideloaded snaps · stale revisions · risky interface grants (home, removable-media, …)
heuristic screener · partial acquisitions without state.json are noted · interface grants are indicative only · not definitive proof