registry  /  @sellable/admin-install  /  0.1.155-hermes06.202607130055

@sellable/admin-install@0.1.155-hermes06.202607130055

Internal Sellable Admin installer for Claude Code and Codex

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 61 file(s), 867 KB of source, external domains: 127.0.0.1, api.browser-use.com, api.browserbase.com, api.grain.com, api.slack.com, app.sellable.dev, app.slack.com, browser-use.com, contracts.sellable.dev, example.com, json.schemastore.org, sellable.dev, slack.com, www.notion.so

Source & flagged code

8 flagged · loading source
bin/sellable-admin-install.mjsView file
96patternName = private_key_rsa severity = critical line = 96 matchedText = /-----BE...-/g,
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bin/sellable-admin-install.mjsView on unpkg · L96
96patternName = private_key_rsa severity = critical line = 96 matchedText = /-----BE...-/g,
Critical
Secret Pattern

RSA private key in bin/sellable-admin-install.mjs

bin/sellable-admin-install.mjsView on unpkg · L96
2160patternName = private_key_rsa severity = critical line = 2160 matchedText = return /...ue);
Critical
Secret Pattern

RSA private key in bin/sellable-admin-install.mjs

bin/sellable-admin-install.mjsView on unpkg · L2160
1#!/usr/bin/env node L2: import { spawnSync } from "node:child_process"; L3: import { createHash } from "node:crypto";
High
Child Process

Package source references child process execution.

bin/sellable-admin-install.mjsView on unpkg · L1
runtime/scripts/browserbase-slack-provision.mjsView file
2import { createHash, createHmac } from "node:crypto"; L3: import { spawn, spawnSync } from "node:child_process"; L4: import { chmodSync, existsSync, lstatSync, mkdirSync, readFileSync, readdirSync, renameSync, rmSync, writeFileSync } from "node:fs"; ... L47: async function browserbaseJson(env, path, options = {}) { L48: const response = await fetch(`https://api.browserbase.com${path}`, { L49: ...options, ... L55: }); L56: const body = await response.json().catch(() => ({})); L57: return { ok: response.ok, status: response.status, body }; ... L73: method: "POST", L74: body: JSON.stringify({ projectId: env.BROWSERBASE_PROJECT_ID }), L75: });
Low
Weak Crypto

Package source references weak cryptographic algorithms.

runtime/scripts/browserbase-slack-provision.mjsView on unpkg · L2
runtime/scripts/update-reply-draft.mjsView file
95token: sellable.token, L96: apiUrl: sellable.apiUrl || "https://app.sellable.dev", L97: }; ... L101: return ( L102: process.env.SLACK_PP_CLI || L103: path.join(repoRoot, "scripts", "slack-pp-cli") ... L107: function runSlack(args) { L108: const result = spawnSync(slackCliPath(), args, { L109: cwd: repoRoot,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

runtime/scripts/update-reply-draft.mjsView on unpkg · L95
runtime/scripts/notion-publish-harness.pyView file
path = runtime/scripts/notion-publish-harness.py kind = build_helper sizeBytes = 19344 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/scripts/notion-publish-harness.pyView on unpkg
scripts/sync-runtime-assets.mjsView file
48patternName = private_key_rsa severity = critical line = 48 matchedText = /-----BE...-/g,
Critical
Secret Pattern

RSA private key in scripts/sync-runtime-assets.mjs

scripts/sync-runtime-assets.mjsView on unpkg · L48

Findings

4 Critical3 High4 Medium5 Low
CriticalCritical Secretbin/sellable-admin-install.mjs
CriticalSecret Patternbin/sellable-admin-install.mjs
CriticalSecret Patternbin/sellable-admin-install.mjs
CriticalSecret Patternscripts/sync-runtime-assets.mjs
HighChild Processbin/sellable-admin-install.mjs
HighShell
HighSame File Env Network Executionruntime/scripts/update-reply-draft.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperruntime/scripts/notion-publish-harness.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptoruntime/scripts/browserbase-slack-provision.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings