registry  /  @ai-setting/agent-bounty  /  0.4.3

@ai-setting/agent-bounty@0.4.3

AI Agent Bounty System — Task publishing, grabbing, and communication platform. v0.4.1: upgrade roy deps (cli 1.5.103, coder-harness 1.5.50, core 1.5.99).

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 80 file(s), 1.49 MB of source, external domains: accounts.google.com, api.nodemailer.com, bounty.example.com, bounty.tongagents.example.com, ethereal.email, github.com, nodemailer.com, yargs.js.org

Source & flagged code

4 flagged · loading source
dist/bin/bounty.jsView file
6633} L6634: exec(sql) { L6635: this.db.exec(sql);
High
Child Process

Package source references child process execution.

dist/bin/bounty.jsView on unpkg · L6633
75Cross-file remote execution chain: dist/bin/bounty.js spawns dist/server/server.js; helper contains network access plus dynamic code execution. L75: function supportsAnsi() { L76: return process.stdout.isTTY; L77: } ... L108: if (!result.parsed) { L109: const err = new Error(`MISSING_DATA: Cannot parse ${vaultPath} for an unknown reason`); L110: err.code = "MISSING_DATA"; ... L142: } L143: if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) { L144: return process.env.DOTENV_KEY; ... L193: } else { L194: possibleVaultPath = path.resolve(process.cwd(), ".env.vault"); L195: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/bounty.jsView on unpkg · L75
51var require_main = __commonJS((exports, module) => { L52: var fs = __require("fs"); L53: var path = __require("path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin/bounty.jsView on unpkg · L51
75function supportsAnsi() { L76: return process.stdout.isTTY; L77: } ... L108: if (!result.parsed) { L109: const err = new Error(`MISSING_DATA: Cannot parse ${vaultPath} for an unknown reason`); L110: err.code = "MISSING_DATA"; ... L142: } L143: if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) { L144: return process.env.DOTENV_KEY; ... L193: } else { L194: possibleVaultPath = path.resolve(process.cwd(), ".env.vault"); L195: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/bin/bounty.jsView on unpkg · L75

Findings

3 High5 Medium5 Low
HighChild Processdist/bin/bounty.js
HighShell
HighCross File Remote Execution Contextdist/bin/bounty.js
MediumDynamic Requiredist/bin/bounty.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/bin/bounty.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings