registry  /  typebulb  /  0.23.1

typebulb@0.23.1

Typebulb CLI to run single-file markdown apps called bulbs, either as standalone web apps or embedded in agent responses.

Static Scan Results

scanned 1h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 1.54 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.openai.com, api.typebulb.com, cdn.jsdelivr.net, cdn.skypack.dev, data.jsdelivr.com, esm.sh, generativelanguage.googleapis.com, openrouter.ai, registry.npmjs.org, unpkg.com
Oversized source lightweight scan
dist/agents/claude/client.js2.43 MB file, sampled 256 KB
NetworkChildProcessEvalObfuscatedHighEntropyStringsUrlStringscdn.skypack.devunpkg.com
dist/agents/pi/client.js2.43 MB file, sampled 256 KB
NetworkChildProcessEvalObfuscatedHighEntropyStringsUrlStringscdn.skypack.devunpkg.com

Source & flagged code

7 flagged · loading source
dist/servers.jsView file
139`)+1;for(;t!==0;)this.onNewLine(this.offset+t),t=this.source.indexOf(` L140: `,t)+1}return{type:e,offset:this.offset,indent:this.indent,source:this.source}}startBlockValue(e){switch(this.type){case"alias":case"scalar":case"single-quoted-scalar":case"double-... L141: `),t=0;if(e[t]?.trim()!=="---")return null;t++;let n=[];for(;t<e.length&&e[t]?.trim()!=="---";)n.push(e[t]),t++;if(e[t]?.trim()!=="---")return null;t++;let r=Ya(n);if(!r)return nul...
High
Child Process

Package source references child process execution.

dist/servers.jsView on unpkg · L139
139`)+1;for(;t!==0;)this.onNewLine(this.offset+t),t=this.source.indexOf(` L140: `,t)+1}return{type:e,offset:this.offset,indent:this.indent,source:this.source}}startBlockValue(e){switch(this.type){case"alias":case"scalar":case"single-quoted-scalar":case"double-... L141: `),t=0;if(e[t]?.trim()!=="---")return null;t++;let n=[];for(;t<e.length&&e[t]?.trim()!=="---";)n.push(e[t]),t++;if(e[t]?.trim()!=="---")return null;t++;let r=Ya(n);if(!r)return nul... ... L147: `)}var Ad=Aa(oa(),1);function rs(s){return{...mr(s),server:s.files.get("server.ts")??""}}function aa(s){return!!s.server&&!s.code}function is(s){let e=/^---[^\n]*\n([\s\S]*?)\n---/... L148: `)).map(e=>e.root)}function xd(s){let e=he(s);if(!e)return s;let t=e.files.get("code.tsx");if(!t)return s;let n=fa(t);if(!n.length)return s;let r=e.files.get("config.json"),i={};if... L149:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/servers.jsView on unpkg · L139
dist/index.jsView file
347`)){if(!l.trim())continue;let f;try{f=JSON.parse(l)}catch{continue}if(!f||mn(f)||f.type!=="user")continue;let u=f.message?.content,d="";typeof u=="string"?d=rt(u):Array.isArray(u)&... L348: `),c=i.filter(u=>u.type==="tool_use").map(u=>({id:u.id??"",name:u.name??"",input:u.input??{}}));if(o||a||c.length){let u=Date.parse(e.timestamp??""),d=!isNaN(u)&&u>=t;n.push({type:... L349: name: typebulb
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L347
325L326: `){let n=e.filter(s=>s.role==="system").map(s=>s.content);return{system:n.length?n.join(t):void 0,conversationMessages:e.filter(s=>s.role!=="system")}}parseJsonError(e,t){if(!e)ret... L327: `)),!t&&s.type==="message"&&s.content&&(t=s.content.filter(i=>i.type==="output_text").map(i=>i.text).join(""));return{text:t,reasoning:n}}parseProviderStreamChunk(e){if(!this.isRes... ... L332: `),c={contents:o.map(f=>({role:f.role==="assistant"?"model":"user",parts:[{text:f.content}]}))};n?.webSearch!==!1&&(c.tools=[{google_search:{}}]),i&&(c.systemInstruction={role:"sys... L333: `)[0],type:s.status,code:s.code?.toString()}:n.message?{message:n.message}:{message:e}}catch{return{message:e}}}parseNonStreamingResponse(e){if(this.checkAndThrowError(e),this.chec... L334: \r ... L338: `).trim();if(!n)return null;if(n==="[DONE]")return"done";try{return JSON.parse(n)}catch{return null}}async function*fp(r,e,t){let n=new TextDecoder,s="",i=e?new Promise((o,a)=>{e.a... L339: `)}var rr,US,JS,KS,tr,si,nr=R(()=>{rr={anthropic:"ANTHROPIC_API_KEY",openai:"OPENAI_API_KEY",gemini:"GOOGLE_API_KEY",openrouter:"OPENROUTER_API_KEY"};US="https://api.typebulb.com/a... L340: `),n=[];if(t.forEach((o,a)=>{l
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L325
2import { createRequire as __cr } from 'module'; const require = __cr(import.meta.url); L3: var eg=Object.create;var Vi=Object.defineProperty;var tg=Object.getOwnPropertyDescriptor;var rg=Object.getOwnPropertyNames;var ng=Object.getPrototypeOf,sg=Object.prototype.hasOwnPr... L4: `),t=0;if(e[t]?.trim()!=="---")return null;t++;let n=[];for(;t<e.length&&e[t]?.trim()!=="---";)n.push(e[t]),t++;if(e[t]?.trim()!=="---")return null;t++;let s=bg(n);if(!s)return nul... ... L9: ${o}`});return["---",`format: ${vl}`,`name: ${Qi(r.name)}`,"---","",...e].join(` L10: `)}var Ol=R(()=>{On();Rn()});function Rl(r){if(!r.trim())return{};try{return JSON.parse(r)}catch{return{}}}var _l=R(()=>{});var Cl=R(()=>{});function Zi(r,e,t){let s=new RegExp(e).... L11: >/]`,i);if(n&&console.log("[xml-utils] start:",o),o===-1)return;let a=r.slice(o+e.length),c=br(a,"^[^<]*[ /]>",0),l=c!==-1&&a[c-1]==="/";if(n&&console.log("[xml-utils] selfClosing:... ... L181: \`\`\`typescript L182: import React from "https://esm.sh/react" L183: import _ from "https://cdn.skypack.dev/lodash" ... L295: L296: **CRITICAL**: \`window.location\` changes, \`window.open()\`, and page reloads will break the app. L297:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L2
dist/render.jsView file
275`);return a===-1&&(a=i.length,i+=` L276: `),{code:i.slice(0,a+1)+s+i.slice(a+1)+n,mappings:this.shiftMappings(o.mappings,s.length)}}else return{code:s+i+n,mappings:this.shiftMappings(o.mappings,s.length)}}processBalancedC... L277: `);for(let a=0;a<i.length;a++){let l=i[a],u=a+1;for(let f of ek)f.targets.includes(s)&&f.pattern.test(l)&&o.push({type:f.type,severity:"error",message:ik(f.type,u),lineNumber:u,lin...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/render.jsView on unpkg · L275
dist/agents/claude/client.jsView file
path = dist/agents/claude/client.js kind = oversized_source_file sizeBytes = 2547393 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/agents/claude/client.jsView on unpkg

Findings

5 High3 Medium8 Low
HighChild Processdist/servers.js
HighShelldist/index.js
HighSame File Env Network Executiondist/servers.js
HighCommand Output Exfiltrationdist/index.js
HighOversized Source Filedist/agents/claude/client.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/render.js
LowWeak Cryptodist/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings