registry  /  @asterworks/agent-console  /  0.1.14

@asterworks/agent-console@0.1.14

Local-first AI coding agent safety, work audit, and outcome dashboard for Claude Code and Codex.

Static Scan Results

scanned 6h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 933 KB of source, external domains: 21st.dev, api.example.com, api.slack.com, console.anthropic.com, console.aws.amazon.com, console.cloud.google.com, console.neon.tech, dashboard.stripe.com, fb.me, github.com, higgsfield.ai, platform.openai.com, reactjs.org, supabase.com, www.apple.com, www.w3.org

Source & flagged code

4 flagged · loading source
dist-cli/index.jsView file
814patternName = private_key_rsa severity = critical line = 814 matchedText = if (kind...d]";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist-cli/index.jsView on unpkg · L814
814patternName = private_key_rsa severity = critical line = 814 matchedText = if (kind...d]";
Critical
Secret Pattern

RSA private key in dist-cli/index.js

dist-cli/index.jsView on unpkg · L814
214Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network, execution+network L214: try { L215: m = JSON.parse(row.metrics_json); L216: } catch { ... L222: if (row.type === "test_result") { L223: if (typeof m.exitCode === "number" && m.exitCode !== 0) testsFailed += 1; L224: else testsPassed += 1; ... L445: "use strict"; L446: DEFAULT_CONFIG_DIR = join(homedir(), ".aster-agent-console"); L447: DEFAULT_DB_PATH = join(DEFAULT_CONFIG_DIR, "agent-console.db"); ... L606: }); L607: import { spawn } from "child_process"; L608: function openBrowser(url) {
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

dist-cli/index.jsView on unpkg · L214
214try { L215: m = JSON.parse(row.metrics_json); L216: } catch { ... L222: if (row.type === "test_result") { L223: if (typeof m.exitCode === "number" && m.exitCode !== 0) testsFailed += 1; L224: else testsPassed += 1; ... L445: "use strict"; L446: DEFAULT_CONFIG_DIR = join(homedir(), ".aster-agent-console"); L447: DEFAULT_DB_PATH = join(DEFAULT_CONFIG_DIR, "agent-console.db"); ... L606: }); L607: import { spawn } from "child_process"; L608: function openBrowser(url) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist-cli/index.jsView on unpkg · L214

Findings

2 Critical1 High5 Medium5 Low
CriticalCritical Secretdist-cli/index.js
CriticalSecret Patterndist-cli/index.js
HighEntrypoint Build Divergencedist-cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist-cli/index.js
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings