registry  /  typebulb  /  0.20.1

typebulb@0.20.1

⚠ Under review

Typebulb CLI to run single-file markdown apps called bulbs, either as standalone web apps or embedded in agent responses.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 49 file(s), 1.42 MB of source, external domains: api.anthropic.com, api.openai.com, api.typebulb.com, cdn.jsdelivr.net, cdn.skypack.dev, data.jsdelivr.com, esm.sh, generativelanguage.googleapis.com, openrouter.ai, registry.npmjs.org, unpkg.com
Oversized source lightweight scan
dist/agents/claude/client.js2.42 MB file, sampled 256 KB
NetworkChildProcessEvalObfuscatedHighEntropyStringsUrlStringscdn.skypack.devunpkg.com
dist/agents/pi/client.js2.41 MB file, sampled 256 KB
NetworkChildProcessEvalHighEntropyStringsUrlStringscdn.skypack.devesm.shunpkg.com

Source & flagged code

8 flagged · loading source
dist/servers.jsView file
139`)+1;for(;t!==0;)this.onNewLine(this.offset+t),t=this.source.indexOf(` L140: `,t)+1}return{type:e,offset:this.offset,indent:this.indent,source:this.source}}startBlockValue(e){switch(this.type){case"alias":case"scalar":case"single-quoted-scalar":case"double-... L141: `),t=0;if(e[t]?.trim()!=="---")return null;t++;let n=[];for(;t<e.length&&e[t]?.trim()!=="---";)n.push(e[t]),t++;if(e[t]?.trim()!=="---")return null;t++;let i=Ca(n);if(!i)return nul...
High
Child Process

Package source references child process execution.

dist/servers.jsView on unpkg · L139
139`)+1;for(;t!==0;)this.onNewLine(this.offset+t),t=this.source.indexOf(` L140: `,t)+1}return{type:e,offset:this.offset,indent:this.indent,source:this.source}}startBlockValue(e){switch(this.type){case"alias":case"scalar":case"single-quoted-scalar":case"double-... L141: `),t=0;if(e[t]?.trim()!=="---")return null;t++;let n=[];for(;t<e.length&&e[t]?.trim()!=="---";)n.push(e[t]),t++;if(e[t]?.trim()!=="---")return null;t++;let i=Ca(n);if(!i)return nul... ... L147: `)}var ad=aa(Wo(),1);function Zt(s){return{...si(s),server:s.files.get("server.ts")??""}}function Go(s){return!!s.server&&!s.code}function es(s){let e=/^---[^\n]*\n([\s\S]*?)\n---/... L148: `)).map(e=>e.root)}function wd(s){let e=fe(s);if(!e)return s;let t=e.files.get("code.tsx");if(!t)return s;let n=zo(t);if(!n.length)return s;let i=e.files.get("config.json"),r={};if...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/servers.jsView on unpkg · L139
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = typebulb@0.18.7 matchedIdentity = npm:dHlwZWJ1bGI:0.18.7 similarity = 0.356 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
357const child = spawn(command, { L358: shell: true, L359: stdio: ["ignore", "pipe", "ignore"],
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L357
323L324: **Fix:** Replace all \`require()\` calls with ES6 \`import\` statements at the top of the file.`}var ut,ft,zw,Qw,ys=R(()=>{ut=["client"],ft=["client","server"],zw=[{type:"DYNAMIC_I... L325: `)}var Ht,Dv,Bv,jv,Wt,Hs,Vt=R(()=>{Ht={anthropic:"ANTHROPIC_API_KEY",openai:"OPENAI_API_KEY",gemini:"GOOGLE_API_KEY",openrouter:"OPENROUTER_API_KEY"};Dv="https://api.typebulb.com/a... L326: `),n=[];if(t.forEach((o,a)=>{let c=AS(o);c!==void 0&&n.push({id:c,idx:a})}),!n.length)return e==="latest"?r:"";let s=e==="latest"?n[n.length-1]:n.find(o=>o.id===e);if(!s)return"";l... ... L328: \u2026[${r.length-5e4} more characters truncated]`:r}function $e(r){let e=r.replace(CS,"").split(` L329: `).map(i=>i.trim()).filter(Boolean),t=e[0];if(!t)return"";let n=t.length>96?t.slice(0,96).trimEnd()+"\u2026":t,s=e.length-1;return s>0?`${n} (+${s} line${s===1?"":"s"})`:n}var CS,c... L330: `):r==null?"":Se(JSON.stringify(r))}function JS(r){let e=r.trim();return!!e&&vp.some(t=>t.test(e))}function KS(r){let e=r.trim();return e?vp.some(t=>{let n=t.exec(e);return!!n&&n.i...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L323
2import { createRequire as __cr } from 'module'; const require = __cr(import.meta.url); L3: var Gm=Object.create;var Ci=Object.defineProperty;var zm=Object.getOwnPropertyDescriptor;var Qm=Object.getOwnPropertyNames;var Xm=Object.getPrototypeOf,Zm=Object.prototype.hasOwnPr... L4: `),t=0;if(e[t]?.trim()!=="---")return null;t++;let n=[];for(;t<e.length&&e[t]?.trim()!=="---";)n.push(e[t]),t++;if(e[t]?.trim()!=="---")return null;t++;let s=ph(n);if(!s)return nul... ... L9: ${o}`});return["---",`format: ${Gc}`,`name: ${Li(r.name)}`,"---","",...e].join(` L10: `)}var nl=R(()=>{yn();bn()});function sl(r){if(!r.trim())return{};try{return JSON.parse(r)}catch{return{}}}var il=R(()=>{});var ol=R(()=>{});function Mi(r,e,t){let s=new RegExp(e).... L11: >/]`,i);if(n&&console.log("[xml-utils] start:",o),o===-1)return;let a=r.slice(o+e.length),c=ar(a,"^[^<]*[ /]>",0),l=c!==-1&&a[c-1]==="/";if(n&&console.log("[xml-utils] selfClosing:... ... L181: \`\`\`typescript L182: import React from "https://esm.sh/react" L183: import _ from "https://cdn.skypack.dev/lodash" ... L295: L296: **CRITICAL**: \`window.location\` changes, \`window.open()\`, and page reloads will break the app. L297:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L2
dist/render.jsView file
275`);return a===-1&&(a=i.length,i+=` L276: `),{code:i.slice(0,a+1)+s+i.slice(a+1)+n,mappings:this.shiftMappings(o.mappings,s.length)}}else return{code:s+i+n,mappings:this.shiftMappings(o.mappings,s.length)}}processBalancedC... L277: `);for(let a=0;a<i.length;a++){let l=i[a],u=a+1;for(let f of ek)f.targets.includes(s)&&f.pattern.test(l)&&o.push({type:f.type,severity:"error",message:ik(f.type,u),lineNumber:u,lin...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/render.jsView on unpkg · L275
dist/agents/claude/client.jsView file
path = dist/agents/claude/client.js kind = oversized_source_file sizeBytes = 2541690 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/agents/claude/client.jsView on unpkg

Findings

1 Critical5 High3 Medium8 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/servers.js
HighShelldist/index.js
HighSame File Env Network Executiondist/servers.js
HighCommand Output Exfiltrationdist/index.js
HighOversized Source Filedist/agents/claude/client.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/render.js
LowWeak Cryptodist/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings