registry  /  @sellable/admin-install  /  0.1.7

@sellable/admin-install@0.1.7

Internal Sellable Admin installer for Claude Code and Codex

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 169 KB of source, external domains: 127.0.0.1, api.browser-use.com, api.grain.com, app.sellable.dev, browser-use.com, contracts.sellable.dev, example.com, json.schemastore.org, sellable.dev, www.notion.so

Source & flagged code

6 flagged · loading source
bin/sellable-admin-install.mjsView file
61patternName = private_key_rsa severity = critical line = 61 matchedText = /-----BE...-/g,
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bin/sellable-admin-install.mjsView on unpkg · L61
61patternName = private_key_rsa severity = critical line = 61 matchedText = /-----BE...-/g,
Critical
Secret Pattern

RSA private key in bin/sellable-admin-install.mjs

bin/sellable-admin-install.mjsView on unpkg · L61
1#!/usr/bin/env node L2: import { spawnSync } from "node:child_process"; L3: import {
High
Child Process

Package source references child process execution.

bin/sellable-admin-install.mjsView on unpkg · L1
runtime/scripts/update-reply-draft.mjsView file
95token: sellable.token, L96: apiUrl: sellable.apiUrl || "https://app.sellable.dev", L97: }; ... L101: return ( L102: process.env.SLACK_PP_CLI || L103: path.join(repoRoot, "scripts", "slack-pp-cli") ... L107: function runSlack(args) { L108: const result = spawnSync(slackCliPath(), args, { L109: cwd: repoRoot,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

runtime/scripts/update-reply-draft.mjsView on unpkg · L95
runtime/scripts/notion-publish-harness.pyView file
path = runtime/scripts/notion-publish-harness.py kind = build_helper sizeBytes = 19344 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/scripts/notion-publish-harness.pyView on unpkg
scripts/sync-runtime-assets.mjsView file
42patternName = private_key_rsa severity = critical line = 42 matchedText = /-----BE...-/g,
Critical
Secret Pattern

RSA private key in scripts/sync-runtime-assets.mjs

scripts/sync-runtime-assets.mjsView on unpkg · L42

Findings

3 Critical3 High4 Medium4 Low
CriticalCritical Secretbin/sellable-admin-install.mjs
CriticalSecret Patternbin/sellable-admin-install.mjs
CriticalSecret Patternscripts/sync-runtime-assets.mjs
HighChild Processbin/sellable-admin-install.mjs
HighShell
HighSame File Env Network Executionruntime/scripts/update-reply-draft.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperruntime/scripts/notion-publish-harness.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings