registry  /  sealclaw  /  2026.7.19

sealclaw@2026.7.19

⚠ Under review

Multi-channel AI gateway with extensible messaging integrations

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4,441 file(s), 37.5 MB of source, external domains: 127.0.0.1, accounts.feishu.cn, accounts.google.com, accounts.larksuite.com, accounts.openai.com, ai-gateway.vercel.sh, ai.azure.com, aiplatform.googleapis.com, aistudio.google.com, alimama.taobao.com, api-dashboard.search.brave.com, api.anthropic.com, api.arcee.ai, api.cerebras.ai, api.chutes.ai, api.cloudflare.com, api.copilot.example, api.deepgram.com, api.deepinfra.com, api.deepseek.com, api.dev.runwayml.com, api.elevenlabs.io, api.exa.ai, api.example.com, api.firecrawl.dev, api.fireworks.ai, api.github.com, api.gradium.ai, api.groq.com, api.individual.githubcopilot.com, api.inworld.ai, api.kilo.ai, api.kimi.com, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.ai, api.moonshot.cn, api.openai.com, api.perplexity.ai, api.plivo.com, api.push.apple.com, api.sandbox.push.apple.com, api.search.brave.com, api.senseaudio.cn, api.stepfun.ai, api.stepfun.com, api.synthetic.new, api.tavily.com, api.telnyx.com

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.preinstall = node scripts/preinstall-package-manager-warning.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall-bundled-plugins.mjs && node scripts/postinstall-patch-pi-ai.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/proxy-cli.runtime-DKH7sHq8.jsView file
764patternName = generic_password severity = medium line = 764 matchedText = url.pass...ed";
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/proxy-cli.runtime-DKH7sHq8.jsView on unpkg · L764
dist/dist-Bc5XAGjM.jsView file
497//#region node_modules/@mariozechner/pi-ai/dist/providers/register-builtins.js L498: const importNodeOnlyProvider = (specifier) => import(specifier); L499: let anthropicProviderModulePromise;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/dist-Bc5XAGjM.jsView on unpkg · L497
dist/control-ui/assets/index-8eXzbQ2W.jsView file
5751contains invisible/control Unicode U+200C (zero width non-joiner) `}var fX=re(E(((e,t)=>{(function(n,r){typeof e==`object`&&t!==void 0?t.exports=r():typeof define==`function`&&define.amd?define(r):n.JSON5=r()})(e,(function(){function e(e,t){return t={exports:{}},e(t,t.exports),t.exports}var t=e(function
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/control-ui/assets/index-8eXzbQ2W.jsView on unpkg · L5751
skills/model-usage/scripts/test_model_usage.pyView file
path = skills/model-usage/scripts/test_model_usage.py kind = build_helper sizeBytes = 1310 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/model-usage/scripts/test_model_usage.pyView on unpkg
docs/help/faq.mdView file
1379patternName = generic_password severity = medium line = 1379 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in docs/help/faq.md

docs/help/faq.mdView on unpkg · L1379
docs/gateway/tailscale.mdView file
99patternName = generic_password severity = medium line = 99 matchedText = auth: { ..." },
Medium
Secret Pattern

Hardcoded password in docs/gateway/tailscale.md

docs/gateway/tailscale.mdView on unpkg · L99
docs/gateway/configuration-reference.mdView file
365patternName = generic_password severity = medium line = 365 matchedText = // passw...WORD
Medium
Secret Pattern

Hardcoded password in docs/gateway/configuration-reference.md

docs/gateway/configuration-reference.mdView on unpkg · L365
395patternName = generic_password severity = medium line = 395 matchedText = // passw...rd",
Medium
Secret Pattern

Hardcoded password in docs/gateway/configuration-reference.md

docs/gateway/configuration-reference.mdView on unpkg · L395

Findings

1 Critical1 High12 Medium7 Low
CriticalTrojan Source Unicodedist/control-ui/assets/index-8eXzbQ2W.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patterndist/proxy-cli.runtime-DKH7sHq8.js
MediumDynamic Requiredist/dist-Bc5XAGjM.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helperskills/model-usage/scripts/test_model_usage.py
MediumStructural Risk Force Deep Review
MediumSecret Patterndocs/help/faq.md
MediumSecret Patterndocs/gateway/tailscale.md
MediumSecret Patterndocs/gateway/configuration-reference.md
MediumSecret Patterndocs/gateway/configuration-reference.md
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings