registry  /  @tapi-dev/sdk  /  0.1.31

@tapi-dev/sdk@0.1.31

Official JavaScript and TypeScript client for TAPI developer APIs.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 15 file(s), 172 KB of source, external domains: 127.0.0.1, d4xaf52nfwiok.cloudfront.net, determined-motivation-production.up.railway.app, identitytoolkit.googleapis.com, rsarlong-1f92fd.gitlab.io, securetoken.googleapis.com

Source & flagged code

3 flagged · loading source
dist/cli.jsView file
20patternName = google_api_key severity = high line = 20 matchedText = const DE...gE";
High
High Secret

Package contains a high-severity secret pattern.

dist/cli.jsView on unpkg · L20
20patternName = google_api_key severity = high line = 20 matchedText = const DE...gE";
High
Secret Pattern

Google API key in dist/cli.js

dist/cli.jsView on unpkg · L20
1004const moduleUrl = pathToFileURL(configPath).href; L1005: const module = await import(moduleUrl); L1006: return module.default ?? module;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L1004

Findings

2 High4 Medium6 Low
HighHigh Secretdist/cli.js
HighSecret Patterndist/cli.js
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License