registry  /  @madarco/agentbox  /  0.24.0

@madarco/agentbox@0.24.0

⚠ Under review

Launch Claude Code, Codex, and other coding agents in isolated sandboxes

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 19 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 58 file(s), 9.96 MB of source, external domains: 127.0.0.1, agent-box.sh, agentbox.localhost, api.digitalocean.com, api.github.com, api.hetzner.cloud, api.ipify.org, api.vercel.com, app.daytona.io, cli.github.com, cloud.digitalocean.com, console.hetzner.cloud, developers.notion.com, docs.docker.com, e2b.dev, get.docker.com, github.com, herdr.dev, host.docker.internal, icanhazip.com, ifconfig.io, plane.example.com, registry.npmjs.org, vercel.com

Source & flagged code

12 flagged · loading source
dist/chunk-6U2S6QWD.jsView file
82import { basename as basename2, resolve } from "path"; L83: import { execa } from "execa"; L84: import { mkdtemp, rm, writeFile } from "fs/promises"; ... L179: ); L180: const boxShas = rev.stdout.split("\n").map((s) => s.trim()).filter((s) => SHA_RE.test(s)); L181: if (boxShas.length === 0) { ... L255: if (relPaths.length === 0) return tokens; L256: const payload = Buffer.from(relPaths.join("\0")).toString("base64"); L257: const script = `printf %s ${quoteShellArg(payload)} | base64 -d | ( cd ${quoteShellArg(ct)} && while IFS= read -r -d '' f; do if [ -f "$f" ] && [ ! -L "$f" ]; then printf '%s\\0%s\... ... L452: for (const k of forwardedKeys) { L453: const v = process.env[k]; L454: if (typeof v === "string" && v.length > 0) env[k] = v;
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/chunk-6U2S6QWD.jsView on unpkg · L82
82Trigger-reachable chain: manifest.bin -> dist/index.js -> dist/chunk-6U2S6QWD.js L82: import { basename as basename2, resolve } from "path"; L83: import { execa } from "execa"; L84: import { mkdtemp, rm, writeFile } from "fs/promises"; ... L179: ); L180: const boxShas = rev.stdout.split("\n").map((s) => s.trim()).filter((s) => SHA_RE.test(s)); L181: if (boxShas.length === 0) { ... L255: if (relPaths.length === 0) return tokens; L256: const payload = Buffer.from(relPaths.join("\0")).toString("base64"); L257: const script = `printf %s ${quoteShellArg(payload)} | base64 -d | ( cd ${quoteShellArg(ct)} && while IFS= read -r -d '' f; do if [ -f "$f" ] && [ ! -L "$f" ]; then printf '%s\\0%s\... ... L452: for (const k of forwardedKeys) { L453: const v = process.env[k]; L454: if (typeof v === "string" && v.length > 0) env[k] = v;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-6U2S6QWD.jsView on unpkg · L82
302caps, L303: async exec(cmd, opts) { L304: const r = await backend.exec(handle, quoteShellArgv(cmd), {
High
Child Process

Package source references child process execution.

dist/chunk-6U2S6QWD.jsView on unpkg · L302
82import { basename as basename2, resolve } from "path"; L83: import { execa } from "execa"; L84: import { mkdtemp, rm, writeFile } from "fs/promises";
High
Shell

Package source references shell execution.

dist/chunk-6U2S6QWD.jsView on unpkg · L82
1436async function readGitOriginUrl(workspacePath) { L1437: const r = await execa6("git", ["-C", workspacePath, "remote", "get-url", "origin"], { L1438: reject: false L1439: }); L1440: const url = (r.stdout ?? "").trim(); L1441: return r.exitCode === 0 && url.length > 0 ? url : void 0; ... L1444: const url = `${args.controlPlaneUrl.replace(/\/$/, "")}/admin/register-box`; L1445: const res = await fetch(url, { L1446: method: "POST", ... L1450: }, L1451: body: JSON.stringify({ L1452: boxId: args.boxId,
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/chunk-6U2S6QWD.jsView on unpkg · L1436
82import { basename as basename2, resolve } from "path"; L83: import { execa } from "execa"; L84: import { mkdtemp, rm, writeFile } from "fs/promises"; ... L179: ); L180: const boxShas = rev.stdout.split("\n").map((s) => s.trim()).filter((s) => SHA_RE.test(s)); L181: if (boxShas.length === 0) { ... L255: if (relPaths.length === 0) return tokens; L256: const payload = Buffer.from(relPaths.join("\0")).toString("base64"); L257: const script = `printf %s ${quoteShellArg(payload)} | base64 -d | ( cd ${quoteShellArg(ct)} && while IFS= read -r -d '' f; do if [ -f "$f" ] && [ ! -L "$f" ]; then printf '%s\\0%s\... ... L452: for (const k of forwardedKeys) { L453: const v = process.env[k]; L454: if (typeof v === "string" && v.length > 0) env[k] = v;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-6U2S6QWD.jsView on unpkg · L82
runtime/docker/packages/ctl/dist/bin.cjsView file
11313return new Promise((resolve4) => { L11314: const child = (0, import_node_child_process.spawn)(cmd, args, { cwd, stdio: ["ignore", "pipe", "pipe"] }); L11315: let stderr = ""; ... L11318: if (code !== 0 && stderr) process.stderr.write(stderr); L11319: resolve4(code ?? 1); L11320: }); ... L11328: stdio: ["ignore", fd, fd], L11329: env: process.env L11330: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

runtime/docker/packages/ctl/dist/bin.cjsView on unpkg · L11313
11}; L12: var __commonJS = (cb, mod) => function __require() { L13: return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

runtime/docker/packages/ctl/dist/bin.cjsView on unpkg · L11
dist/chunk-I654PBHA.jsView file
75Cross-file remote execution chain: dist/chunk-I654PBHA.js spawns dist/index.js; helper contains network access plus dynamic code execution. L75: // ../../packages/sandbox-docker/dist/index.js L76: import { spawnSync } from "child_process"; L77: import { mkdtemp as mkdtemp2, readdir as readdir2, readFile as readFile22, rm as rm2, stat as stat2, writeFile as writeFile2 } from "fs/promises"; ... L113: import { homedir as homedir10 } from "os"; L114: import { basename as basename4, join as join12, resolve as resolve4 } from "path"; L115: import { execa as execa16 } from "execa"; ... L131: String(r.restarts), L132: r.lastExitCode === null ? "-" : String(r.lastExitCode), L133: r.blockedOn.length === 0 ? "-" : r.blockedOn.join(","), ... L1056: function loadGitHubAppConfig() { L1057: const appId = process.env.GITHUB_APP_ID; L1058: let key = process.env.GITHUB_APP_PRIVATE_KEY;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunk-I654PBHA.jsView on unpkg · L75
runtime/vercel/scripts/provision.shView file
path = [redacted].sh kind = build_helper sizeBytes = 22865 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

runtime/vercel/scripts/provision.shView on unpkg
runtime/hub/apps/hub/.next/static/media/99e609270109b47d-s.p.40sczeszzbjw1.woff2View file
path = runtime/hub/apps/hub/.[redacted]-s.p.40sczeszzbjw1.woff2 kind = high_entropy_blob sizeBytes = 10052 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

runtime/hub/apps/hub/.next/static/media/99e609270109b47d-s.p.40sczeszzbjw1.woff2View on unpkg
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @madarco/agentbox@0.21.0 matchedIdentity = npm:QG1hZGFyY28vYWdlbnRib3g:0.21.0 similarity = 0.593 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

3 Critical6 High6 Medium4 Low
CriticalCredential Exfiltrationdist/chunk-6U2S6QWD.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-6U2S6QWD.js
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/chunk-6U2S6QWD.js
HighShelldist/chunk-6U2S6QWD.js
HighSame File Env Network Executionruntime/docker/packages/ctl/dist/bin.cjs
HighCommand Output Exfiltrationdist/chunk-6U2S6QWD.js
HighCross File Remote Execution Contextdist/chunk-I654PBHA.js
HighShips High Entropy Blobruntime/hub/apps/hub/.next/static/media/99e609270109b47d-s.p.40sczeszzbjw1.woff2
MediumDynamic Requireruntime/docker/packages/ctl/dist/bin.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-6U2S6QWD.js
MediumShips Build Helperruntime/vercel/scripts/provision.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings