registry  /  @opensea/cli  /  1.12.2

@opensea/cli@1.12.2

⚠ Under review

OpenSea CLI - Query the OpenSea API from the command line or programmatically

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 133 KB of source, external domains: api.opensea.io, api.privy.io, auth.opensea.io, eth.merkle.io, github.com, opensea.io

Source & flagged code

2 flagged · loading source
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @opensea/cli@1.12.0 matchedIdentity = npm:QG9wZW5zZWEvY2xp:1.12.0 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
10import { extractOpenSeaScopes } from "@opensea/sdk"; L11: var AUTH_DIR = join(homedir(), ".opensea"); L12: var AUTH_FILE = join(AUTH_DIR, "auth.json"); ... L26: const data = readFileSync(AUTH_FILE, "utf-8"); L27: return JSON.parse(data); L28: } catch { ... L80: // src/client.ts L81: var DEFAULT_BASE_URL = "https://api.opensea.io"; L82: var DEFAULT_TIMEOUT_MS = 3e4; ... L177: async post(path, body, params) { L178: return this.write("POST", path, body, params); L179: }
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L10

Findings

1 Critical1 High2 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighCredential Exfiltrationdist/cli.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings