registry  /  website-api  /  1.2.1

website-api@1.2.1

CLI and library to query website private APIs with your real logged-in Chrome session

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 44 file(s), 264 KB of source, external domains: api.census.gov, api.e-zpassny.com, claude.ai, clients6.google.com, cursor.com, gemini.google.com, mysmartenergy.nj.pseg.com, ollama.com, raw.githubusercontent.com, secure.chase.com, tigerweb.geo.census.gov, voice.google.com, website-api-list.lgnat.com, www.e-zpassny.com, www.google.com, www.perplexity.ai, www.zillow.com

Source & flagged code

7 flagged · loading source
dist/src/sites/voice.google.com/api/voice-helpers.jsView file
12patternName = google_api_key severity = high line = 12 matchedText = export c...llow
High
High Secret

Package contains a high-severity secret pattern.

dist/src/sites/voice.google.com/api/voice-helpers.jsView on unpkg · L12
12patternName = google_api_key severity = high line = 12 matchedText = export c...llow
High
Secret Pattern

Google API key in dist/src/sites/voice.google.com/api/voice-helpers.js

dist/src/sites/voice.google.com/api/voice-helpers.jsView on unpkg · L12
2/** L3: * Google Voice's web app fetches data from a private JSON+protobuf API: L4: * POST https://clients6.google.com/voice/v1/voiceclient/<method>?alt=protojson&key=<API_KEY> L5: * ... L96: "x-javascript-user-agent": "google-api-javascript-client/1.1.0", L97: "x-goog-encode-response-if-executable": "base64", L98: Cookie: cookieHeader,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/src/sites/voice.google.com/api/voice-helpers.jsView on unpkg · L2
dist/src/core/context.jsView file
134browser, L135: async eval(fn, arg) { L136: const page = await browser();
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/core/context.jsView on unpkg · L134
dist/src/core/registry.jsView file
308try { L309: mod = await import(pathToFileURL(filePath).href); L310: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/core/registry.jsView on unpkg · L308
dist/src/capabilities/login/login-helper.jsView file
154patternName = generic_password severity = medium line = 154 matchedText = console....'`);
Medium
Secret Pattern

Hardcoded password in dist/src/capabilities/login/login-helper.js

dist/src/capabilities/login/login-helper.jsView on unpkg · L154
dist/src/sites/voice.google.com/api/voice-helpers.d.tsView file
12patternName = google_api_key severity = high line = 12 matchedText = export d...Bg";
High
Secret Pattern

Google API key in dist/src/sites/voice.google.com/api/voice-helpers.d.ts

dist/src/sites/voice.google.com/api/voice-helpers.d.tsView on unpkg · L12

Findings

3 High4 Medium6 Low
HighHigh Secretdist/src/sites/voice.google.com/api/voice-helpers.js
HighSecret Patterndist/src/sites/voice.google.com/api/voice-helpers.js
HighSecret Patterndist/src/sites/voice.google.com/api/voice-helpers.d.ts
MediumDynamic Requiredist/src/core/registry.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/src/capabilities/login/login-helper.js
LowScripts Present
LowEvaldist/src/core/context.js
LowWeak Cryptodist/src/sites/voice.google.com/api/voice-helpers.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings