registry  /  sentinelayer-cli  /  0.34.5

sentinelayer-cli@0.34.5

⚠ Under review

Scaffold Sentinelayer spec/prompt/guide artifacts with secure browser auth and token bootstrap.

Static Scan Results

scanned 11d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 340 file(s), 3.56 MB of source, external domains: api.aidenid.com, api.anthropic.com, api.openai.com, api.sentinelayer.com, api.telegram.org, developers.openai.com, docs.anthropic.com, example.com, generativelanguage.googleapis.com, github.com, json-schema.org, json.schemastore.org, platform.openai.com, sentinelayer.com, www.npmjs.com

Source & flagged code

6 flagged · loading source
src/swarm/pentest.jsView file
350patternName = generic_password severity = medium line = 350 matchedText = password...rd",
Medium
Secret Pattern

Package contains a possible secret pattern.

src/swarm/pentest.jsView on unpkg · L350
src/ingest/engine.jsView file
1import { execFile } from "node:child_process"; L2: import { createHash } from "node:crypto";
High
Child Process

Package source references child process execution.

src/ingest/engine.jsView on unpkg · L1
61".bash": "Shell", L62: ".ps1": "PowerShell", L63: ".dockerfile": "Docker",
High
Shell

Package source references shell execution.

src/ingest/engine.jsView on unpkg · L61
src/legacy-cli.jsView file
602function getGitCommand() { L603: return String(process.env.SENTINELAYER_GIT_BIN || "").trim() || "git"; L604: } ... L607: const gitCommand = getGitCommand(); L608: const probe = spawnSync(gitCommand, ["rev-parse", "--is-inside-work-tree"], { L609: cwd, ... L615: function buildGithubCloneUrl(repoSlug) { L616: const base = String(DEFAULT_GITHUB_CLONE_BASE_URL || "https://github.com").trim().replace(/\/+$/g, ""); L617: return `${base}/${normalizeRepoSlug(repoSlug)}.git`;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/legacy-cli.jsView on unpkg · L602
src/agents/jules/tools/runtime-audit.jsView file
84stdio: ["pipe", "pipe", "pipe"], L85: shell: true, // Windows: npx is npx.cmd, needs shell resolution L86: });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/agents/jules/tools/runtime-audit.jsView on unpkg · L84
src/mcp/cli-command-tools.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sentinelayer-cli@0.34.1 matchedIdentity = npm:c2VudGluZWxheWVyLWNsaQ:0.34.1 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/mcp/cli-command-tools.jsView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/mcp/cli-command-tools.js
HighChild Processsrc/ingest/engine.js
HighShellsrc/ingest/engine.js
HighSame File Env Network Executionsrc/legacy-cli.js
HighRuntime Package Installsrc/agents/jules/tools/runtime-audit.js
MediumSecret Patternsrc/swarm/pentest.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings