registry  /  @inkbox/sdk  /  0.4.18

@inkbox/sdk@0.4.18

TypeScript SDK for the Inkbox API

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 75 file(s), 526 KB of source, external domains: inkbox.ai

Source & flagged code

4 flagged · loading source
dist/tunnels/client/_cert.jsView file
168patternName = private_key_rsa severity = critical line = 168 matchedText = return `...\n`;
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/tunnels/client/_cert.jsView on unpkg · L168
168patternName = private_key_rsa severity = critical line = 168 matchedText = return `...\n`;
Critical
Secret Pattern

RSA private key in dist/tunnels/client/_cert.js

dist/tunnels/client/_cert.jsView on unpkg · L168
dist/contacts/resources/vcards.jsView file
21*/ L22: async import(content, contentType = VCARD_CONTENT_TYPE) { L23: const data = await this.http.postRaw(`${BASE}/import`, content, contentType);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/contacts/resources/vcards.jsView on unpkg · L21
dist/tunnels/client/_ws_passthrough.jsView file
3* L4: * WebSocket support for passthrough mode. L5: * ... L18: .update(key + WS_GUID, "ascii") L19: .digest("base64"); L20: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/tunnels/client/_ws_passthrough.jsView on unpkg · L3

Findings

2 Critical3 Medium6 Low
CriticalCritical Secretdist/tunnels/client/_cert.js
CriticalSecret Patterndist/tunnels/client/_cert.js
MediumDynamic Requiredist/contacts/resources/vcards.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/tunnels/client/_ws_passthrough.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings