registry  /  @cutleryapp/agent  /  1.0.71

@cutleryapp/agent@1.0.71

Local agent that connects your machine to the Cutlery QA platform and runs UI tests via Playwright

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 293 KB of source, external domains: example.com

Source & flagged code

7 flagged · loading source
dist/mcp-executor.jsView file
575patternName = generic_password severity = medium line = 575 matchedText = password...rp",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/mcp-executor.jsView on unpkg · L575
1871patternName = generic_password severity = medium line = 1871 matchedText = password...3!',
Medium
Secret Pattern

Hardcoded password in dist/mcp-executor.js

dist/mcp-executor.jsView on unpkg · L1871
1872patternName = generic_password severity = medium line = 1872 matchedText = confirmp...3!',
Medium
Secret Pattern

Hardcoded password in dist/mcp-executor.js

dist/mcp-executor.jsView on unpkg · L1872
dist/cli.jsView file
48const os = __importStar(require("os")); L49: const child_process_1 = require("child_process"); L50: const ws_1 = __importDefault(require("ws"));
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L48
46const path_1 = require("path"); L47: const http = __importStar(require("http")); L48: const os = __importStar(require("os")); L49: const child_process_1 = require("child_process"); L50: const ws_1 = __importDefault(require("ws")); ... L58: async function ensureBrowsersInstalled() { L59: if (process.env.CUTLERY_SKIP_BROWSER_INSTALL === "1") L60: return;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L46
48const os = __importStar(require("os")); L49: const child_process_1 = require("child_process"); L50: const ws_1 = __importDefault(require("ws")); ... L55: // browser binaries are downloaded separately (~300MB for chromium). Without L56: // this, the first `connect` from a fresh `npx @cutleryapp/agent` install fails L57: // with "Executable doesn't exist" the moment it tries to launch a test.
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L48
310patternName = generic_password severity = medium line = 310 matchedText = password...23",
Medium
Secret Pattern

Hardcoded password in dist/cli.js

dist/cli.jsView on unpkg · L310

Findings

3 High7 Medium5 Low
HighChild Processdist/cli.js
HighSame File Env Network Executiondist/cli.js
HighRuntime Package Installdist/cli.js
MediumSecret Patterndist/mcp-executor.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/mcp-executor.js
MediumSecret Patterndist/mcp-executor.js
MediumSecret Patterndist/cli.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings