registry  /  @lebtiga/sonic-agent  /  2.0.15

@lebtiga/sonic-agent@2.0.15

Sonic — a specialized AI agent for building WordPress authority websites at scale. Founders cohort license required.

Static Scan Results

scanned 10d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 120 KB of source, external domains: api.anthropic.com, api.openai.com, api.pexels.com, claude.com, fal.run, generativelanguage.googleapis.com, nodejs.org, sonic.saasperity.com, zjvmclbpjjzsmboptwgk.supabase.co

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
lib/server-validate.jsView file
24patternName = supabase_service_key severity = critical line = 24 matchedText = 'eyJhbGc...MY';
Critical
Critical Secret

Package contains a critical-looking secret pattern.

lib/server-validate.jsView on unpkg · L24
24patternName = supabase_service_key severity = critical line = 24 matchedText = 'eyJhbGc...MY';
Critical
Secret Pattern

Supabase service role key (JWT) in lib/server-validate.js

lib/server-validate.jsView on unpkg · L24
bin/sonic.jsView file
12L13: const fs = require('fs'); L14: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/sonic.jsView on unpkg · L12
lib/doctor.jsView file
12const os = require('node:os'); L13: const https = require('node:https'); L14: const { execSync, spawnSync } = require('node:child_process'); L15: ... L26: L27: const pkg = require('../package.json'); L28: ... L50: function findClaudeBin() { L51: const PATH = process.env.PATH || ''; L52: const sep = process.platform === 'win32' ? ';' : ':'; L53: const ext = process.platform === 'win32' ? ['.exe', '.cmd', ''] : ['']; ... L80: // The #1 support ticket: root-owned npm cache / global dir.
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

lib/doctor.jsView on unpkg · L12

Findings

2 Critical2 High5 Medium4 Low
CriticalCritical Secretlib/server-validate.js
CriticalSecret Patternlib/server-validate.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitylib/doctor.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/sonic.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings