registry  /  typebulb  /  0.19.0

typebulb@0.19.0

⚠ Under review

Typebulb CLI to run single-file markdown apps called bulbs, either as standalone web apps or embedded in agent responses.

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 1.43 MB of source, external domains: api.anthropic.com, api.openai.com, api.typebulb.com, cdn.jsdelivr.net, cdn.skypack.dev, data.jsdelivr.com, esm.sh, generativelanguage.googleapis.com, openrouter.ai, registry.npmjs.org, unpkg.com
Oversized source lightweight scan
dist/agents/claude/client.js2.42 MB file, sampled 256 KB
NetworkChildProcessEvalObfuscatedHighEntropyStringsUrlStringscdn.skypack.devunpkg.com
dist/agents/pi/client.js2.41 MB file, sampled 256 KB
NetworkChildProcessEvalHighEntropyStringsUrlStringscdn.skypack.devunpkg.com

Source & flagged code

8 flagged · loading source
dist/servers.jsView file
139`)+1;for(;t!==0;)this.onNewLine(this.offset+t),t=this.source.indexOf(` L140: `,t)+1}return{type:e,offset:this.offset,indent:this.indent,source:this.source}}startBlockValue(e){switch(this.type){case"alias":case"scalar":case"single-quoted-scalar":case"double-... L141: `),t=0;if(e[t]?.trim()!=="---")return null;t++;let n=[];for(;t<e.length&&e[t]?.trim()!=="---";)n.push(e[t]),t++;if(e[t]?.trim()!=="---")return null;t++;let i=Ba(n);if(!i)return nul...
High
Child Process

Package source references child process execution.

dist/servers.jsView on unpkg · L139
139`)+1;for(;t!==0;)this.onNewLine(this.offset+t),t=this.source.indexOf(` L140: `,t)+1}return{type:e,offset:this.offset,indent:this.indent,source:this.source}}startBlockValue(e){switch(this.type){case"alias":case"scalar":case"single-quoted-scalar":case"double-... L141: `),t=0;if(e[t]?.trim()!=="---")return null;t++;let n=[];for(;t<e.length&&e[t]?.trim()!=="---";)n.push(e[t]),t++;if(e[t]?.trim()!=="---")return null;t++;let i=Ba(n);if(!i)return nul... ... L147: `)}var hd=oa(Go(),1);function Qo(s){return{...ni(s),server:s.files.get("server.ts")??""}}function Ho(s){if(s.server.trim())return"server-side code (server.ts)";let e=s.code;if(/\bt... L148: `))for(let i of gd)for(let r of n.matchAll(i)){let o=yd(r[1]);o&&!t.has(o)&&(t.add(o),e.push(o))}return e}function bd(s){let e=rt(s);if(!e)return s;let t=e.files.get("code.tsx");if...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/servers.jsView on unpkg · L139
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = typebulb@0.18.7 matchedIdentity = npm:dHlwZWJ1bGI:0.18.7 similarity = 0.870 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/index.jsView on unpkg
354const child = spawn(command, { L355: shell: true, L356: stdio: ["ignore", "pipe", "ignore"],
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L354
1258})(); L1259: </script>`;function vv(r){let e={};for(let[t,n]of Object.entries(r))e[t]=n.startsWith("https://")?"/proxy/"+n:n;return e}import*as Rs from"fs/promises";import*as Cs from"path";impo... L1260: `,"utf8"),await Z.writeFile(Q.join(e,"code.tsx"),r.code,"utf8"),await Z.writeFile(Q.join(e,"tb.d.ts"),Aa,"utf8"),{dir:e}}function Uv(r,e,t=[]){return{compilerOptions:{target:"es202... L1261: `,"utf8"),{dir:e}}function zv(r){let e={target:"es2023",module:"esnext",moduleResolution:"bundler",lib:["ES2023"],types:["node"],strict:!0,noEmit:!0,skipLibCheck:!0,esModuleInterop... L1262: `))console.log(`${e} ${n}`);return r.length>0}function rS(r,e){return new Promise(t=>{let n=Xv(process.execPath,[r,"--noEmit"],{cwd:e}),s="";n.stdout?.on("data",i=>{s+=i.toString()...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1258
2import { createRequire as __cr } from 'module'; const require = __cr(import.meta.url); L3: var qh=Object.create;var Ai=Object.defineProperty;var Uh=Object.getOwnPropertyDescriptor;var Jh=Object.getOwnPropertyNames;var Kh=Object.getPrototypeOf,Wh=Object.prototype.hasOwnPr... L4: `),t=0;if(e[t]?.trim()!=="---")return null;t++;let n=[];for(;t<e.length&&e[t]?.trim()!=="---";)n.push(e[t]),t++;if(e[t]?.trim()!=="---")return null;t++;let s=im(n);if(!s)return nul... ... L9: ${o}`});return["---",`format: ${Jc}`,`name: ${Ci(r.name)}`,"---","",...e].join(` L10: `)}var Qc=C(()=>{gn();yn()});function Xc(r){if(!r.trim())return{};try{return JSON.parse(r)}catch{return{}}}var Zc=C(()=>{});var el=C(()=>{});function Ni(r,e,t){let s=new RegExp(e).... L11: >/]`,i);if(n&&console.log("[xml-utils] start:",o),o===-1)return;let a=r.slice(o+e.length),c=er(a,"^[^<]*[ /]>",0),l=c!==-1&&a[c-1]==="/";if(n&&console.log("[xml-utils] selfClosing:... ... L181: \`\`\`typescript L182: import React from "https://esm.sh/react" L183: import _ from "https://cdn.skypack.dev/lodash" ... L295: L296: **CRITICAL**: \`window.location\` changes, \`window.open()\`, and page reloads will break the app. L297:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L2
dist/render.jsView file
275`);return a===-1&&(a=i.length,i+=` L276: `),{code:i.slice(0,a+1)+s+i.slice(a+1)+n,mappings:this.shiftMappings(o.mappings,s.length)}}else return{code:s+i+n,mappings:this.shiftMappings(o.mappings,s.length)}}processBalancedC... L277: `);for(let a=0;a<i.length;a++){let l=i[a],u=a+1;for(let f of zy)f.targets.includes(s)&&f.pattern.test(l)&&o.push({type:f.type,severity:"error",message:nk(f.type,u),lineNumber:u,lin...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/render.jsView on unpkg · L275
dist/agents/claude/client.jsView file
path = dist/agents/claude/client.js kind = oversized_source_file sizeBytes = 2541026 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/agents/claude/client.jsView on unpkg

Findings

1 Critical5 High3 Medium8 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/servers.js
HighShelldist/index.js
HighSame File Env Network Executiondist/servers.js
HighCommand Output Exfiltrationdist/index.js
HighOversized Source Filedist/agents/claude/client.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/render.js
LowWeak Cryptodist/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings