registry  /  @sellable/admin-install  /  0.1.56

@sellable/admin-install@0.1.56

Internal Sellable Admin installer for Claude Code and Codex

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 432 KB of source, external domains: 127.0.0.1, api.browser-use.com, api.browserbase.com, api.grain.com, api.slack.com, app.sellable.dev, app.slack.com, browser-use.com, contracts.sellable.dev, example.com, json.schemastore.org, sellable.dev, slack.com, www.notion.so

Source & flagged code

8 flagged · loading source
bin/sellable-admin-install.mjsView file
83patternName = private_key_rsa severity = critical line = 83 matchedText = /-----BE...-/g,
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bin/sellable-admin-install.mjsView on unpkg · L83
83patternName = private_key_rsa severity = critical line = 83 matchedText = /-----BE...-/g,
Critical
Secret Pattern

RSA private key in bin/sellable-admin-install.mjs

bin/sellable-admin-install.mjsView on unpkg · L83
1#!/usr/bin/env node L2: import { spawnSync } from "node:child_process"; L3: import { createHash } from "node:crypto";
High
Child Process

Package source references child process execution.

bin/sellable-admin-install.mjsView on unpkg · L1
runtime/scripts/browserbase-slack-provision.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @sellable/admin-install@0.1.45 matchedIdentity = npm:QHNlbGxhYmxlL2FkbWluLWluc3RhbGw:0.1.45 similarity = 0.944 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

runtime/scripts/browserbase-slack-provision.mjsView on unpkg
2import { createHash, createHmac } from "node:crypto"; L3: import { spawnSync } from "node:child_process"; L4: import { chmodSync, existsSync, lstatSync, readFileSync, renameSync, rmSync, writeFileSync } from "node:fs"; ... L44: async function browserbaseJson(env, path, options = {}) { L45: const response = await fetch(`https://api.browserbase.com${path}`, { L46: ...options, ... L52: }); L53: const body = await response.json().catch(() => ({})); L54: return { ok: response.ok, status: response.status, body }; ... L70: method: "POST", L71: body: JSON.stringify({ projectId: env.BROWSERBASE_PROJECT_ID }), L72: });
Low
Weak Crypto

Package source references weak cryptographic algorithms.

runtime/scripts/browserbase-slack-provision.mjsView on unpkg · L2
runtime/scripts/update-reply-draft.mjsView file
95token: sellable.token, L96: apiUrl: sellable.apiUrl || "https://app.sellable.dev", L97: }; ... L101: return ( L102: process.env.SLACK_PP_CLI || L103: path.join(repoRoot, "scripts", "slack-pp-cli") ... L107: function runSlack(args) { L108: const result = spawnSync(slackCliPath(), args, { L109: cwd: repoRoot,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

runtime/scripts/update-reply-draft.mjsView on unpkg · L95
runtime/scripts/notion-publish-harness.pyView file
path = runtime/scripts/notion-publish-harness.py kind = build_helper sizeBytes = 19344 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/scripts/notion-publish-harness.pyView on unpkg
scripts/sync-runtime-assets.mjsView file
44patternName = private_key_rsa severity = critical line = 44 matchedText = /-----BE...-/g,
Critical
Secret Pattern

RSA private key in scripts/sync-runtime-assets.mjs

scripts/sync-runtime-assets.mjsView on unpkg · L44

Findings

3 Critical4 High4 Medium5 Low
CriticalCritical Secretbin/sellable-admin-install.mjs
CriticalSecret Patternbin/sellable-admin-install.mjs
CriticalSecret Patternscripts/sync-runtime-assets.mjs
HighChild Processbin/sellable-admin-install.mjs
HighShell
HighSame File Env Network Executionruntime/scripts/update-reply-draft.mjs
HighPrevious Version Dangerous Deltaruntime/scripts/browserbase-slack-provision.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperruntime/scripts/notion-publish-harness.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptoruntime/scripts/browserbase-slack-provision.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings