registry  /  @integrity-labs/agt-cli  /  0.28.244

@integrity-labs/agt-cli@0.28.244

⚠ Under review

Augmented Team CLI — agent provisioning and management

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 21 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 23 file(s), 8.26 MB of source, external domains: accounts.google.com, adaptivecards.io, api.agt.localhost, api.anchorbrowser.io, api.anthropic.com, api.augmented.team, api.botframework.com, api.buffer.com, api.github.com, api.notion.com, api.postiz.com, api.slack.com, api.v0.dev, api.xero.com, app.augmented.team, app.kajabi.com, augmented.dev, augmented.team, aws.amazon.com, backend.composio.dev, claude.ai, cli.coderabbit.ai, cli.github.com, cloud.google.com, docs.anchorbrowser.io, docs.anthropic.com, docs.deck.co, docs.expo.dev, docs.firecrawl.dev, docs.google.com, docs.granola.ai, docs.postiz.com, elevenlabs.io, ext-api.app.brandninja.ai, feross.org, gist.github.com, github.com, graph.microsoft.com, help.kajabi.com, higgsfield.ai, identity.xero.com, json-schema.org, live.augmented.team, login.microsoftonline.com, login.xero.com, management.azure.com, mathiasbynens.be, mcp-auth.granola.ai, mcp.granola.ai, mcp.higgsfield.ai
Oversized source lightweight scan
dist/mcp/whatsapp-channel.js5.74 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsEvalHighEntropyStringsUrlStringsfeross.orgraw.githubusercontent.comwww.apache.org
dist/mcp/whatsapp-link.js5.39 MB file, sampled 256 KB
ChildProcessEnvironmentVars

Source & flagged code

13 flagged · loading source
dist/bin/agt.jsView file
1745import ora10 from "ora"; L1746: import { spawn } from "child_process"; L1747: import { existsSync as existsSync6, readFileSync as readFileSync5, writeFileSync as writeFileSync7 } from "fs";
High
Child Process

Package source references child process execution.

dist/bin/agt.jsView on unpkg · L1745
89Cross-file remote execution chain: dist/bin/agt.js spawns dist/mcp/index.js; helper contains network access plus dynamic code execution. L89: } L90: process.exitCode = 1; L91: return; ... L140: const json = isJsonMode(); L141: const configDir = opts.configDir ?? join(homedir(), ".augmented"); L142: const cachePath = defaultFlagsCachePath(configDir); ... L156: } L157: resolved = [resolveFlagFromLayers(definition, heartbeatFlags, process.env)]; L158: } else { ... L214: const emit = (obj) => { L215: process.stdout.write(`${JSON.stringify(obj)} L216: `);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/agt.jsView on unpkg · L89
89} L90: process.exitCode = 1; L91: return; ... L140: const json = isJsonMode(); L141: const configDir = opts.configDir ?? join(homedir(), ".augmented"); L142: const cachePath = defaultFlagsCachePath(configDir); ... L156: } L157: resolved = [resolveFlagFromLayers(definition, heartbeatFlags, process.env)]; L158: } else { ... L214: const emit = (obj) => { L215: process.stdout.write(`${JSON.stringify(obj)} L216: `);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/bin/agt.jsView on unpkg · L89
dist/manager-supervisor-RMC62QES.jsView file
261const envLines = Object.entries(opts.env).filter(([k, v]) => k.length > 0 && v != null && !LINUX_SECRET_ENV_KEYS.has(k)).map(([k, v]) => `Environment="${k}=${escapeForSystemdEnv(v)... L262: const execArgs = [ L263: opts.agtBin,
High
Shell

Package source references shell execution.

dist/manager-supervisor-RMC62QES.jsView on unpkg · L261
dist/mcp/origami.jsView file
21859var source = compiler.compile(this.tmplStr, this.env.asyncFilters, this.env.extensionsList, this.path, this.env.opts); L21860: var func = new Function(source); L21861: props = func();
High
Eval

Package source references dynamic code evaluation.

dist/mcp/origami.jsView on unpkg · L21859
dist/mcp/teams-channel.jsView file
1227// validation function arguments L1228: data: new codegen_1.Name("data"), L1229: // data passed to validation function ... L2254: id = normalizeId(id); L2255: return resolver.resolve(baseId, id); L2256: } ... L3114: for (i = 0; i < input.length; i++) { L3115: code = input[i].charCodeAt(0); L3116: if (code === 48) { ... L13806: var StdioServerTransport = class { L13807: constructor(_stdin = process2.stdin, _stdout = process2.stdout) { L13808: this._stdin = _stdin;
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/mcp/teams-channel.jsView on unpkg · L1227
14163function resolveHostBooleanFlag(opts) { L14164: const env = opts.env ?? process.env; L14165: const envValue = envBoolean(env[opts.envVar]); ... L14172: // src/reply-intent-runtime.ts L14173: import { execFile } from "child_process"; L14174: import { existsSync as existsSync2, mkdirSync, writeFileSync } from "fs"; ... L14177: var DEFAULT_CLAUDE_EVAL_MODEL = "claude-haiku-4-5-20251001"; L14178: var DEFAULT_ANTHROPIC_MESSAGES_URL = "https://api.anthropic.com/v1/messages"; L14179: var ANTHROPIC_API_VERSION = "2023-06-01";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/mcp/teams-channel.jsView on unpkg · L14163
dist/lib/manager-worker.jsView file
132import { readFileSync as readFileSync14, writeFileSync as writeFileSync6, mkdirSync as mkdirSync6, existsSync as existsSync8, rmSync as rmSync4, readdirSync as readdirSync5, statSy... L133: import { execFileSync as syncExecFile } from "child_process"; L134: import { join as join16, dirname as dirname5 } from "path"; ... L143: function claudeCodeUpgradeMarkerPath() { L144: return join(homedir(), ".augmented", ".last-claude-code-upgrade-check"); L145: } ... L425: try { L426: const raw = JSON.parse(readFileSync2(path, "utf8")); L427: if (typeof raw.step === "string" && isOnboardingArea(raw.step) && typeof raw.injectedAtMs === "number" && Number.isFinite(raw.injectedAtMs)) { ... L570: function readEnvNumber(name, fallback) { L571: const raw = process.env[name]; L572: if (!raw) return fallback;
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/lib/manager-worker.jsView on unpkg · L132
132Trigger-reachable chain: manifest.bin -> dist/bin/agt.js -> dist/chunk-JKTHAXOS.js -> dist/lib/manager-worker.js L132: import { readFileSync as readFileSync14, writeFileSync as writeFileSync6, mkdirSync as mkdirSync6, existsSync as existsSync8, rmSync as rmSync4, readdirSync as readdirSync5, statSy... L133: import { execFileSync as syncExecFile } from "child_process"; L134: import { join as join16, dirname as dirname5 } from "path"; ... L143: function claudeCodeUpgradeMarkerPath() { L144: return join(homedir(), ".augmented", ".last-claude-code-upgrade-check"); L145: } ... L425: try { L426: const raw = JSON.parse(readFileSync2(path, "utf8")); L427: if (typeof raw.step === "string" && isOnboardingArea(raw.step) && typeof raw.injectedAtMs === "number" && Number.isFinite(raw.injectedAtMs)) { ... L570: function readEnvNumber(name, fallback) { L571: const raw = process.env[name]; L572: if (!raw) return fallback;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/lib/manager-worker.jsView on unpkg · L132
dist/chunk-JKTHAXOS.jsView file
249for (const f of secretFindings) { L250: process.stderr.write(`${formatLiteralSecretRejection(f)} L251: `); ... L905: parts.push(""); L906: parts.push("On a team in a **different organisation**, authorised by a", "cross-team peer grant. Treat them as a contracted external party:", "", "- Assume **no shared context** \u... L907: for (const p of crossOrgGrant) ... L1042: const { frontmatter, role, description, resolvedChannels, team, organization, hasQmd, integrations, knowledge, timezone, reportsTo, personalitySeed, teamMembers, people, peerGates,... L1043: const consoleUrl = input.consoleUrl ?? "https://app.augmented.team"; L1044: const channelList = resolvedChannels?.length ? resolvedChannels.join(", ") : "none"; ... L1660: import { homedir as homedir2 } from "os"; L1661: import { execFile } from "child_process"; L1662:
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/chunk-JKTHAXOS.jsView on unpkg · L249
dist/assets/impersonate-statusline.shView file
path = dist/assets/impersonate-statusline.sh kind = build_helper sizeBytes = 3911 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/assets/impersonate-statusline.shView on unpkg
dist/mcp/whatsapp-channel.jsView file
path = dist/mcp/whatsapp-channel.js kind = oversized_source_file sizeBytes = 6015662 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/mcp/whatsapp-channel.jsView on unpkg
path = dist/mcp/whatsapp-channel.js kind = oversized_cli_entrypoint sizeBytes = 6015662 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/mcp/whatsapp-channel.jsView on unpkg

Findings

3 Critical7 High6 Medium5 Low
CriticalCommand Output Exfiltrationdist/lib/manager-worker.js
CriticalRemote Asset Decode Executedist/mcp/teams-channel.js
CriticalTrigger Reachable Dangerous Capabilitydist/lib/manager-worker.js
HighChild Processdist/bin/agt.js
HighShelldist/manager-supervisor-RMC62QES.js
HighEvaldist/mcp/origami.js
HighSame File Env Network Executiondist/mcp/teams-channel.js
HighCloud Metadata Accessdist/chunk-JKTHAXOS.js
HighCross File Remote Execution Contextdist/bin/agt.js
HighOversized Source Filedist/mcp/whatsapp-channel.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/bin/agt.js
MediumShips Build Helperdist/assets/impersonate-statusline.sh
MediumOversized Cli Entrypointdist/mcp/whatsapp-channel.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License