registry  /  @kontourai/flow-agents  /  3.0.0

@kontourai/flow-agents@3.0.0

Flow Agents — a Kontour product that applies Flow and Veritas discipline as a portable process layer inside the agent tools you already use: Claude Code, Codex, Kiro, opencode, pi, and GitHub Actions — with framework adapters (AWS Strands preview) on the

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 183 file(s), 2.59 MB of source, external domains: github.com, hachure.org, in-toto.io, kontourai.dev, opencode.ai

Source & flagged code

6 flagged · loading source
evals/integration/test_hook_category_behaviors.shView file
155patternName = aws_access_key severity = critical line = 155 matchedText = if print...}' \
Critical
Critical Secret

Package contains a critical-looking secret pattern.

evals/integration/test_hook_category_behaviors.shView on unpkg · L155
155patternName = aws_access_key severity = critical line = 155 matchedText = if print...}' \
Critical
Secret Pattern

AWS access key ID in evals/integration/test_hook_category_behaviors.sh

evals/integration/test_hook_category_behaviors.shView on unpkg · L155
packaging/conformance/run-conformance.jsView file
22L23: const fs = require('fs'); L24: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

packaging/conformance/run-conformance.jsView on unpkg · L22
context/scripts/hooks/stop-format-typecheck.jsView file
11L12: const { execFileSync, spawnSync } = require('child_process'); L13: const fs = require('fs'); ... L26: const os = require('os'); L27: const id = crypto.createHash('sha1').update(process.cwd()).digest('hex').slice(0, 12); L28: return path.join(os.tmpdir(), `flow-agents-edited-${id}.txt`); ... L65: const opts = { cwd: tsConfigDir, encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'], timeout: timeoutMs }; L66: let stdout = '', stderr = '', failed = false; L67: try { ... L81: if (relevant.length > 0) { L82: process.stderr.write(`[Hook] TypeScript errors in ${path.basename(filePath)}:\n`); L83: relevant.forEach(l => process.stderr.write(l + '\n'));
Low
Weak Crypto

Package source references weak cryptographic algorithms.

context/scripts/hooks/stop-format-typecheck.jsView on unpkg · L11
evals/ci/run-baseline.shView file
path = evals/ci/run-baseline.sh kind = build_helper sizeBytes = 15370 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

evals/ci/run-baseline.shView on unpkg
evals/fixtures/veritas-governance-adapter/fake-veritas-secret-fail.shView file
path = evals/fixtures/veritas-governance-adapter/fake-veritas-secret-fail.sh kind = payload_in_excluded_dir sizeBytes = 279 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

evals/fixtures/veritas-governance-adapter/fake-veritas-secret-fail.shView on unpkg

Findings

2 Critical1 High5 Medium5 Low
CriticalCritical Secretevals/integration/test_hook_category_behaviors.sh
CriticalSecret Patternevals/integration/test_hook_category_behaviors.sh
HighPayload In Excluded Direvals/fixtures/veritas-governance-adapter/fake-veritas-secret-fail.sh
MediumDynamic Requirepackaging/conformance/run-conformance.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperevals/ci/run-baseline.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptocontext/scripts/hooks/stop-format-typecheck.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings