registry  /  sdtk-kit  /  1.18.0

sdtk-kit@1.18.0

Install all six SDTK toolkits in one command. Meta-package for sdtk-spec-kit, sdtk-code-kit, sdtk-ops-kit, sdtk-design-kit, sdtk-wiki-kit, and sdtk-agent-kit.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 21 file(s), 116 KB of source, external domains: sdtk.dev

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/evolve.test.jsView file
103patternName = aws_access_key severity = critical line = 103 matchedText = assert.o... 0);
Critical
Critical Secret

Package contains a critical-looking secret pattern.

scripts/evolve.test.jsView on unpkg · L103
103patternName = aws_access_key severity = critical line = 103 matchedText = assert.o... 0);
Critical
Secret Pattern

AWS access key ID in scripts/evolve.test.js

scripts/evolve.test.jsView on unpkg · L103
104patternName = private_key_rsa severity = critical line = 104 matchedText = assert.o... 0);
Critical
Secret Pattern

RSA private key in scripts/evolve.test.js

scripts/evolve.test.jsView on unpkg · L104
bin/sdtk-ops.jsView file
5// See bin/sdtk-spec.js for the rationale behind these shims. L6: require("sdtk-ops-kit/bin/sdtk-ops.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/sdtk-ops.jsView on unpkg · L5
scripts/unified-runtime.test.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sdtk-kit@1.14.0 matchedIdentity = npm:c2R0ay1raXQ:1.14.0 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/unified-runtime.test.jsView on unpkg

Findings

3 Critical2 High5 Medium4 Low
CriticalCritical Secretscripts/evolve.test.js
CriticalSecret Patternscripts/evolve.test.js
CriticalSecret Patternscripts/evolve.test.js
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltascripts/unified-runtime.test.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/sdtk-ops.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings