registry  /  create-lovable-seo-agent  /  0.1.0

create-lovable-seo-agent@0.1.0

Install the SEO Agent (edge functions + MCP server + migrations) into any Lovable / Supabase project with a license key.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 7.46 KB of source, external domains: yntavqukvncoiutdfndd.supabase.co

Source & flagged code

4 flagged · loading source
bin/index.mjsView file
11import { Readable } from "node:stream"; L12: import { spawn } from "node:child_process"; L13: import prompts from "prompts";
High
Child Process

Package source references child process execution.

bin/index.mjsView on unpkg · L11
11import { Readable } from "node:stream"; L12: import { spawn } from "node:child_process"; L13: import prompts from "prompts"; ... L17: const LICENSE_SERVER = L18: process.env.LOVABLE_SEO_LICENSE_SERVER ?? L19: "https://yntavqukvncoiutdfndd.supabase.co/functions/v1/license-server"; L20:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/index.mjsView on unpkg · L11
11import { Readable } from "node:stream"; L12: import { spawn } from "node:child_process"; L13: import prompts from "prompts"; ... L17: const LICENSE_SERVER = L18: process.env.LOVABLE_SEO_LICENSE_SERVER ?? L19: "https://yntavqukvncoiutdfndd.supabase.co/functions/v1/license-server"; L20: L21: const CONFIG_DIR = join(homedir(), ".lovable-seo-agent"); L22: const CONFIG_FILE = join(CONFIG_DIR, "config.json"); ... L26: try { L27: return JSON.parse(readFileSync(CONFIG_FILE, "utf8")); L28: } catch { return {}; }
High
Host Fingerprint Exfiltration

Source collects local host identity data and sends it to an external endpoint.

bin/index.mjsView on unpkg · L11
11import { Readable } from "node:stream"; L12: import { spawn } from "node:child_process"; L13: import prompts from "prompts"; ... L17: const LICENSE_SERVER = L18: process.env.LOVABLE_SEO_LICENSE_SERVER ?? L19: "https://yntavqukvncoiutdfndd.supabase.co/functions/v1/license-server"; L20: L21: const CONFIG_DIR = join(homedir(), ".lovable-seo-agent"); L22: const CONFIG_FILE = join(CONFIG_DIR, "config.json"); ... L26: try { L27: return JSON.parse(readFileSync(CONFIG_FILE, "utf8")); L28: } catch { return {}; }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/index.mjsView on unpkg · L11

Findings

5 High3 Medium4 Low
HighChild Processbin/index.mjs
HighShell
HighSame File Env Network Executionbin/index.mjs
HighHost Fingerprint Exfiltrationbin/index.mjs
HighSandbox Evasion Gated Capabilitybin/index.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License