registry  /  @asterworks/agent-console  /  0.1.11

@asterworks/agent-console@0.1.11

Local-first AI coding agent safety, work audit, and outcome dashboard for Claude Code and Codex.

Static Scan Results

scanned 9h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 912 KB of source, external domains: api.example.com, fb.me, reactjs.org, www.apple.com, www.w3.org

Source & flagged code

5 flagged · loading source
dist-cli/index.jsView file
834patternName = private_key_rsa severity = critical line = 834 matchedText = if (kind...d]";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist-cli/index.jsView on unpkg · L834
834patternName = private_key_rsa severity = critical line = 834 matchedText = if (kind...d]";
Critical
Secret Pattern

RSA private key in dist-cli/index.js

dist-cli/index.jsView on unpkg · L834
232Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network, execution+network L232: try { L233: m = JSON.parse(row.metrics_json); L234: } catch { ... L240: if (row.type === "test_result") { L241: if (typeof m.exitCode === "number" && m.exitCode !== 0) testsFailed += 1; L242: else testsPassed += 1; ... L465: "use strict"; L466: DEFAULT_CONFIG_DIR = join(homedir(), ".aster-agent-console"); L467: DEFAULT_DB_PATH = join(DEFAULT_CONFIG_DIR, "agent-console.db"); ... L626: }); L627: import { spawn } from "child_process"; L628: function openBrowser(url) {
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

dist-cli/index.jsView on unpkg · L232
matchType = previous_version_dangerous_delta matchedPackage = @asterworks/agent-console@0.1.10 matchedIdentity = npm:[redacted]:0.1.10 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist-cli/index.jsView on unpkg
232try { L233: m = JSON.parse(row.metrics_json); L234: } catch { ... L240: if (row.type === "test_result") { L241: if (typeof m.exitCode === "number" && m.exitCode !== 0) testsFailed += 1; L242: else testsPassed += 1; ... L465: "use strict"; L466: DEFAULT_CONFIG_DIR = join(homedir(), ".aster-agent-console"); L467: DEFAULT_DB_PATH = join(DEFAULT_CONFIG_DIR, "agent-console.db"); ... L626: }); L627: import { spawn } from "child_process"; L628: function openBrowser(url) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist-cli/index.jsView on unpkg · L232

Findings

2 Critical2 High5 Medium5 Low
CriticalCritical Secretdist-cli/index.js
CriticalSecret Patterndist-cli/index.js
HighEntrypoint Build Divergencedist-cli/index.js
HighPrevious Version Dangerous Deltadist-cli/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist-cli/index.js
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings