registry  /  @sellable/admin-install  /  0.1.22

@sellable/admin-install@0.1.22

Internal Sellable Admin installer for Claude Code and Codex

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 234 KB of source, external domains: 127.0.0.1, api.browser-use.com, api.grain.com, app.sellable.dev, browser-use.com, contracts.sellable.dev, example.com, json.schemastore.org, sellable.dev, slack.com, www.notion.so

Source & flagged code

7 flagged · loading source
bin/sellable-admin-install.mjsView file
69patternName = private_key_rsa severity = critical line = 69 matchedText = /-----BE...-/g,
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bin/sellable-admin-install.mjsView on unpkg · L69
69patternName = private_key_rsa severity = critical line = 69 matchedText = /-----BE...-/g,
Critical
Secret Pattern

RSA private key in bin/sellable-admin-install.mjs

bin/sellable-admin-install.mjsView on unpkg · L69
1#!/usr/bin/env node L2: import { spawnSync } from "node:child_process"; L3: import { createHash } from "node:crypto";
High
Child Process

Package source references child process execution.

bin/sellable-admin-install.mjsView on unpkg · L1
runtime/scripts/update-reply-draft.mjsView file
95token: sellable.token, L96: apiUrl: sellable.apiUrl || "https://app.sellable.dev", L97: }; ... L101: return ( L102: process.env.SLACK_PP_CLI || L103: path.join(repoRoot, "scripts", "slack-pp-cli") ... L107: function runSlack(args) { L108: const result = spawnSync(slackCliPath(), args, { L109: cwd: repoRoot,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

runtime/scripts/update-reply-draft.mjsView on unpkg · L95
runtime/scripts/notion-publish-harness.pyView file
path = runtime/scripts/notion-publish-harness.py kind = build_helper sizeBytes = 19344 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/scripts/notion-publish-harness.pyView on unpkg
runtime/scripts/install-local-mcp.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @sellable/admin-install@0.1.12 matchedIdentity = npm:QHNlbGxhYmxlL2FkbWluLWluc3RhbGw:0.1.12 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

runtime/scripts/install-local-mcp.mjsView on unpkg
scripts/sync-runtime-assets.mjsView file
42patternName = private_key_rsa severity = critical line = 42 matchedText = /-----BE...-/g,
Critical
Secret Pattern

RSA private key in scripts/sync-runtime-assets.mjs

scripts/sync-runtime-assets.mjsView on unpkg · L42

Findings

3 Critical4 High4 Medium4 Low
CriticalCritical Secretbin/sellable-admin-install.mjs
CriticalSecret Patternbin/sellable-admin-install.mjs
CriticalSecret Patternscripts/sync-runtime-assets.mjs
HighChild Processbin/sellable-admin-install.mjs
HighShell
HighSame File Env Network Executionruntime/scripts/update-reply-draft.mjs
HighPrevious Version Dangerous Deltaruntime/scripts/install-local-mcp.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperruntime/scripts/notion-publish-harness.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings