registry  /  @asterworks/agent-console  /  0.1.10

@asterworks/agent-console@0.1.10

Local-first AI coding agent safety, work audit, and outcome dashboard for Claude Code and Codex.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 905 KB of source, external domains: api.example.com, fb.me, reactjs.org, www.apple.com, www.w3.org

Source & flagged code

5 flagged · loading source
dist-cli/index.jsView file
804patternName = private_key_rsa severity = critical line = 804 matchedText = if (kind...d]";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist-cli/index.jsView on unpkg · L804
804patternName = private_key_rsa severity = critical line = 804 matchedText = if (kind...d]";
Critical
Secret Pattern

RSA private key in dist-cli/index.js

dist-cli/index.jsView on unpkg · L804
205Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network, execution+network L205: try { L206: m = JSON.parse(row.metrics_json); L207: } catch { ... L213: if (row.type === "test_result") { L214: if (typeof m.exitCode === "number" && m.exitCode !== 0) testsFailed += 1; L215: else testsPassed += 1; ... L435: "use strict"; L436: DEFAULT_CONFIG_DIR = join(homedir(), ".aster-agent-console"); L437: DEFAULT_DB_PATH = join(DEFAULT_CONFIG_DIR, "agent-console.db"); ... L596: }); L597: import { spawn } from "child_process"; L598: function openBrowser(url) {
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

dist-cli/index.jsView on unpkg · L205
matchType = previous_version_dangerous_delta matchedPackage = @asterworks/agent-console@0.1.8 matchedIdentity = npm:[redacted]:0.1.8 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist-cli/index.jsView on unpkg
205try { L206: m = JSON.parse(row.metrics_json); L207: } catch { ... L213: if (row.type === "test_result") { L214: if (typeof m.exitCode === "number" && m.exitCode !== 0) testsFailed += 1; L215: else testsPassed += 1; ... L435: "use strict"; L436: DEFAULT_CONFIG_DIR = join(homedir(), ".aster-agent-console"); L437: DEFAULT_DB_PATH = join(DEFAULT_CONFIG_DIR, "agent-console.db"); ... L596: }); L597: import { spawn } from "child_process"; L598: function openBrowser(url) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist-cli/index.jsView on unpkg · L205

Findings

2 Critical2 High5 Medium5 Low
CriticalCritical Secretdist-cli/index.js
CriticalSecret Patterndist-cli/index.js
HighEntrypoint Build Divergencedist-cli/index.js
HighPrevious Version Dangerous Deltadist-cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist-cli/index.js
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings