registry  /  @madarco/agentbox  /  0.22.2

@madarco/agentbox@0.22.2

⚠ Under review

Launch Claude Code, Codex, and other coding agents in isolated sandboxes

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 20 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 53 file(s), 8.58 MB of source, external domains: 127.0.0.1, agent-box.sh, agentbox.localhost, api.github.com, api.hetzner.cloud, api.ipify.org, api.vercel.com, app.daytona.io, cli.github.com, console.hetzner.cloud, developers.notion.com, docs.docker.com, e2b.dev, get.docker.com, github.com, herdr.dev, host.docker.internal, icanhazip.com, ifconfig.io, plane.example.com, registry.npmjs.org, vercel.com

Source & flagged code

13 flagged · loading source
dist/chunk-7HAGPF4X.jsView file
32} from "@daytonaio/sdk"; L33: import { spawnSync } from "child_process"; L34: import { homedir as homedir2 } from "os";
High
Child Process

Package source references child process execution.

dist/chunk-7HAGPF4X.jsView on unpkg · L32
dist/chunk-ES2DDCAC.jsView file
273import { setTimeout as delay } from "timers/promises"; L274: import { execa } from "execa"; L275: import { readdir, stat as stat2 } from "fs/promises";
High
Shell

Package source references shell execution.

dist/chunk-ES2DDCAC.jsView on unpkg · L273
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @madarco/agentbox@0.21.0 matchedIdentity = npm:QG1hZGFyY28vYWdlbnRib3g:0.21.0 similarity = 0.519 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
351try { L352: const loaded = await loadEffectiveConfig(process.cwd()); L353: const kind = loaded.effective.engine.kind; ... L445: const idx = typeof b.projectIndex === "number" ? `${String(b.projectIndex)})` : " -)"; L446: process.stderr.write(` ${idx} ${b.name} (id ${b.id}) L447: `); ... L744: if (boxId) url.searchParams.set("box", boxId); L745: const res = await fetch(url); L746: if (!res.ok) { ... L748: } L749: const body = await res.json(); L750: return body.events ?? [];
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L351
2146if (total > cap) return; L2147: const { readdir: readdir4 } = await import("fs/promises"); L2148: let names;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2146
dist/chunk-QT3SHMLY.jsView file
510type: "bool", L511: description: "Map each box web app to a https://<box-name>.localhost URL via the Portless proxy (Docker Desktop only; OrbStack already has .orb.local). Default: prompt." L512: }, ... L787: } L788: var STATE_DIR = join(homedir(), ".agentbox"); L789: var GLOBAL_CONFIG_FILE = join(STATE_DIR, "config.yaml"); ... L912: function mergeLayers(input) { L913: const effective = JSON.parse(JSON.stringify(BUILT_IN_DEFAULTS)); L914: const sources = {};
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/chunk-QT3SHMLY.jsView on unpkg · L510
dist/chunk-5DZTXHLQ.jsView file
63Cross-file remote execution chain: dist/chunk-5DZTXHLQ.js spawns dist/index.js; helper contains network access plus dynamic code execution. L63: // ../../packages/sandbox-docker/dist/index.js L64: import { spawnSync } from "child_process"; L65: import { mkdir as mkdir2, mkdtemp as mkdtemp2, readdir as readdir2, readFile as readFile22, rm as rm2, stat as stat2, writeFile as writeFile2 } from "fs/promises"; ... L101: import { homedir as homedir10 } from "os"; L102: import { basename as basename4, join as join12, resolve as resolve4 } from "path"; L103: import { execa as execa15 } from "execa"; ... L119: String(r.restarts), L120: r.lastExitCode === null ? "-" : String(r.lastExitCode), L121: r.blockedOn.length === 0 ? "-" : r.blockedOn.join(","), ... L1043: function loadGitHubAppConfig() { L1044: const appId = process.env.GITHUB_APP_ID; L1045: let key = process.env.GITHUB_APP_PRIVATE_KEY;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunk-5DZTXHLQ.jsView on unpkg · L63
63// ../../packages/sandbox-docker/dist/index.js L64: import { spawnSync } from "child_process"; L65: import { mkdir as mkdir2, mkdtemp as mkdtemp2, readdir as readdir2, readFile as readFile22, rm as rm2, stat as stat2, writeFile as writeFile2 } from "fs/promises"; ... L101: import { homedir as homedir10 } from "os"; L102: import { basename as basename4, join as join12, resolve as resolve4 } from "path"; L103: import { execa as execa15 } from "execa"; ... L119: String(r.restarts), L120: r.lastExitCode === null ? "-" : String(r.lastExitCode), L121: r.blockedOn.length === 0 ? "-" : r.blockedOn.join(","), ... L1043: function loadGitHubAppConfig() { L1044: const appId = process.env.GITHUB_APP_ID; L1045: let key = process.env.GITHUB_APP_PRIVATE_KEY;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-5DZTXHLQ.jsView on unpkg · L63
runtime/hub/apps/hub/chunk-7J6ZFTT4.jsView file
1783} L1784: if ((process.env.GH_TOKEN ?? process.env.GITHUB_TOKEN ?? "").length > 0) { L1785: return null; ... L1797: function runHostGh(args, cwd, timeoutMs = GH_RPC_TIMEOUT_MS) { L1798: return new Promise((resolve6) => { L1799: const child = spawn("gh", args, { L1800: cwd,
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

runtime/hub/apps/hub/chunk-7J6ZFTT4.jsView on unpkg · L1783
dist/chunk-S4OWE3UD.jsView file
1315async function readGitOriginUrl(workspacePath) { L1316: const r = await execa6("git", ["-C", workspacePath, "remote", "get-url", "origin"], { L1317: reject: false L1318: }); L1319: const url = (r.stdout ?? "").trim(); L1320: return r.exitCode === 0 && url.length > 0 ? url : void 0; ... L1323: const url = `${args.controlPlaneUrl.replace(/\/$/, "")}/admin/register-box`; L1324: const res = await fetch(url, { L1325: method: "POST", ... L1329: }, L1330: body: JSON.stringify({ L1331: boxId: args.boxId,
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/chunk-S4OWE3UD.jsView on unpkg · L1315
dist/chunk-3KAWXDQ4.jsView file
116try { L117: const r = await execa(bin, ["--version"], { reject: false }); L118: if (r.exitCode === 0) { ... L131: function installSbxHint() { L132: return "npm install -g sandbox"; L133: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/chunk-3KAWXDQ4.jsView on unpkg · L116
runtime/vercel/scripts/provision.shView file
path = [redacted].sh kind = build_helper sizeBytes = 21714 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/vercel/scripts/provision.shView on unpkg
runtime/hub/apps/hub/.next/static/media/99e609270109b47d-s.p.40sczeszzbjw1.woff2View file
path = runtime/hub/apps/hub/.[redacted]-s.p.40sczeszzbjw1.woff2 kind = high_entropy_blob sizeBytes = 10052 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

runtime/hub/apps/hub/.next/static/media/99e609270109b47d-s.p.40sczeszzbjw1.woff2View on unpkg

Findings

2 Critical7 High6 Medium5 Low
CriticalSame File Env Network Executionruntime/hub/apps/hub/chunk-7J6ZFTT4.js
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/chunk-7HAGPF4X.js
HighShelldist/chunk-ES2DDCAC.js
HighCommand Output Exfiltrationdist/chunk-S4OWE3UD.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighCross File Remote Execution Contextdist/chunk-5DZTXHLQ.js
HighRuntime Package Installdist/chunk-3KAWXDQ4.js
HighShips High Entropy Blobruntime/hub/apps/hub/.next/static/media/99e609270109b47d-s.p.40sczeszzbjw1.woff2
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-5DZTXHLQ.js
MediumShips Build Helperruntime/vercel/scripts/provision.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/chunk-QT3SHMLY.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings