registry  /  @astrasyncai/verification-gateway  /  3.11.0

@astrasyncai/verification-gateway@3.11.0

⚠ Under review

AstraSync KYA Platform SDK — counterparty verification gateway (verify incoming requests) + agent registration (register AI agents with the KYA backend).

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 58 file(s), 3.58 MB of source, external domains: api.astrasync.ai, astrasync.ai, mcp.visa.com, placeholder.invalid, staging.astrasync.ai

Source & flagged code

3 flagged · loading source
dist/bin/astrasync-guard.jsView file
5595var import_path3 = require("path"); L5596: var import_child_process = require("child_process"); L5597: var DEFAULT_CONFIG2 = {
High
Child Process

Package source references child process execution.

dist/bin/astrasync-guard.jsView on unpkg · L5595
530Cross-file remote execution chain: dist/bin/astrasync-guard.js spawns dist/bin/astrasync-claude-hook.js; helper contains network access plus dynamic code execution. L530: for (; index < max; index++) { L531: if (!isHexCode(data.charCodeAt(index))) return false; L532: hasDigits = true; ... L3487: this.print("\nShould any files be off-limits for reading?"); L3488: this.print(" Some files contain passwords, API keys, or private credentials.\n"); L3489: const blocked = await this.askBlockedPaths(); ... L3684: this.callbacks = callbacks; L3685: this.platformUrl = config.platformUrl || "https://astrasync.ai"; L3686: this.configDir = config.configDir || ".astrasync"; ... L3852: }, L3853: body: JSON.stringify({ L3854: policy: policyYaml,
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/astrasync-guard.jsView on unpkg · L530
dist/bin/astrasync-claude-hook.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @astrasyncai/verification-gateway@3.10.1 matchedIdentity = npm:[redacted]:3.10.1 similarity = 0.945 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/bin/astrasync-claude-hook.jsView on unpkg

Findings

1 Critical3 High2 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/bin/astrasync-claude-hook.js
HighChild Processdist/bin/astrasync-guard.js
HighShell
HighCross File Remote Execution Contextdist/bin/astrasync-guard.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings