registry  /  @aryaminus/controlkeel  /  0.3.61

@aryaminus/controlkeel@0.3.61

Bootstrap installer for the ControlKeel native CLI - a control plane for agent-generated software delivery.

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 7 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 9.60 KB of source, external domains: github.com, token.actions.githubusercontent.com

Source & flagged code

3 flagged · loading source
bin/controlkeel.jsView file
2L3: const { spawn } = require("node:child_process"); L4: const { ensureBinary } = require("../lib/install");
High
Child Process

Package source references child process execution.

bin/controlkeel.jsView on unpkg · L2
lib/install.jsView file
200L201: if (process.env.CONTROLKEEL_REQUIRE_SIGNATURE === "1") { L202: throw new Error(`[controlkeel] No cosign signature/certificate available for ${asset}`); ... L208: try { L209: execFileSync(cosignPath, [ L210: "verify-blob", filePath, ... L212: "--certificate", certFile, L213: "--certificate-identity-regexp", `^https://github.com/${repo}/.github/workflows/release.yml@refs/tags/v[0-9].*`, L214: "--certificate-oidc-issuer", "https://token.actions.githubusercontent.com"
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/install.jsView on unpkg · L200
6const path = require("node:path"); L7: const https = require("node:https"); L8: L9: const packageJson = require("../package.json"); L10: ... L18: // and optional cosign sig/cert artifacts all resolve from here. Kept as plain, L19: // auditable strings: obfuscating them (e.g. base64 at runtime) is a pattern L20: // supply-chain scanners treat as MORE suspicious, not less. ... L30: L31: function assetName(platform = process.platform, arch = process.arch) { L32: if (platform === "linux" && arch === "x64") { ... L59: function binaryPath() {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

lib/install.jsView on unpkg · L6

Findings

3 High2 Medium2 Low
HighChild Processbin/controlkeel.js
HighSame File Env Network Executionlib/install.js
HighSandbox Evasion Gated Capabilitylib/install.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowUrl Strings