registry  /  @sequenceholdings/artifact-studio  /  0.1.10

@sequenceholdings/artifact-studio@0.1.10

SDK types and CLI library for building Artifact Studio apps. Driven via `seq-studio artifact <sub>` (@sequenceholdings/studio-cli), which runs the `./cli` runCli export.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 32 file(s), 142 KB of source, external domains: api.studio.com, atlas.seqholdings.com, banksouth.seqholdings.com, libraries.cgr.dev, staging.atlas.seqholdings.com

Source & flagged code

3 flagged · loading source
dist/dev-link.jsView file
1import { spawn } from 'node:child_process'; L2: import { createHash } from 'node:crypto';
High
Child Process

Package source references child process execution.

dist/dev-link.jsView on unpkg · L1
dist/auth.jsView file
1import { createHash, randomBytes } from 'node:crypto'; L2: import { createServer } from 'node:http'; L3: import { spawn } from 'node:child_process'; L4: import { writeTokenConfig, readTokenConfig } from './config.js'; ... L10: function envOr(name, fallback) { L11: return process.env[name]?.trim() || fallback; L12: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/auth.jsView on unpkg · L1
1import { createHash, randomBytes } from 'node:crypto'; L2: import { createServer } from 'node:http'; L3: import { spawn } from 'node:child_process'; L4: import { writeTokenConfig, readTokenConfig } from './config.js'; ... L10: function envOr(name, fallback) { L11: return process.env[name]?.trim() || fallback; L12: } ... L19: } L20: function base64Url(input) { L21: return input.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, ''); ... L23: function openBrowser(url) { L24: const command = process.platform === 'darwin'
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/auth.jsView on unpkg · L1

Findings

4 High3 Medium5 Low
HighChild Processdist/dev-link.js
HighShell
HighSame File Env Network Executiondist/auth.js
HighSandbox Evasion Gated Capabilitydist/auth.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License