registry  /  @posthog/agent  /  2.3.1315

@posthog/agent@2.3.1315

⚠ Under review

TypeScript agent framework wrapping Claude Agent SDK with Git-based task execution for PostHog

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 196 file(s), 5.02 MB of source, external domains: a.com, app.dev.posthog.dev, app.posthog.com, b.com, eu.posthog.com, example.com, gateway.dev.posthog.dev, gateway.eu.posthog.com, gateway.example, gateway.timeout-test, gateway.us.posthog.com, github.com, logs.example.com, mcp.example, mcp.example.com, ngrok.test, posthog.com, posthog.slack.com, sandbox.example.com, sse.example.com, test.posthog.com, us.i.posthog.com, us.posthog.com

Source & flagged code

8 flagged · loading source
dist/handoff-checkpoint.jsView file
904// ../git/dist/handoff.js L905: import { spawn as spawn3 } from "child_process"; L906: import { copyFile, mkdtemp, readFile as readFile2, rm as rm2, stat as stat2 } from "fs/promises";
High
Child Process

Package source references child process execution.

dist/handoff-checkpoint.jsView on unpkg · L904
dist/server/agent-server.jsView file
20167} L20168: async function handlePostHogExecApprovalFlow(context, subTool) { L20169: const { toolName, toolInput, toolUseID, sessionId, session } = context;
High
Shell

Package source references shell execution.

dist/server/agent-server.jsView on unpkg · L20167
171for (let i2 = 0; i2 < namespace.length; i2++) { L172: hash = (hash << 5) - hash + namespace.charCodeAt(i2); L173: hash |= 0; ... L431: let m; L432: return typeof document !== "undefined" && document.documentElement && document.documentElement.style && document.documentElement.style.WebkitAppearance || // Is firebug? http://sta... L433: typeof window !== "undefined" && window.console && (window.console.firebug || window.console.exception && window.console.table) || // Is firefox >= v31? ... L476: if (!r && typeof process !== "undefined" && "env" in process) { L477: r = process.env.DEBUG; L478: } ... L562: } L563: if (process.platform === "win32") { L564: const osRelease = os10.release().split(".");
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/server/agent-server.jsView on unpkg · L171
171Cross-file remote execution chain: dist/server/agent-server.js spawns dist/handoff-checkpoint.js; helper contains network access plus dynamic code execution. L171: for (let i2 = 0; i2 < namespace.length; i2++) { L172: hash = (hash << 5) - hash + namespace.charCodeAt(i2); L173: hash |= 0; ... L431: let m; L432: return typeof document !== "undefined" && document.documentElement && document.documentElement.style && document.documentElement.style.WebkitAppearance || // Is firebug? http://sta... L433: typeof window !== "undefined" && window.console && (window.console.firebug || window.console.exception && window.console.table) || // Is firefox >= v31? ... L476: if (!r && typeof process !== "undefined" && "env" in process) { L477: r = process.env.DEBUG; L478: } ... L562: } L563: if (process.platform === "win32") { L564: const osRelease = os10.release().split(".");
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/server/agent-server.jsView on unpkg · L171
1820var func = `(${args}) => { ${body} };`; L1821: ASM_CONSTS[start] = eval(func); L1822: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/server/agent-server.jsView on unpkg · L1820
dist/claude-cli/claudeView file
path = dist/claude-cli/claude kind = native_binary sizeBytes = 245517112 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

dist/claude-cli/claudeView on unpkg
src/adapters/claude/session/options.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @posthog/agent@2.3.1187 matchedIdentity = npm:QHBvc3Rob2cvYWdlbnQ:2.3.1187 similarity = 0.458 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/adapters/claude/session/options.tsView on unpkg
src/server/agent-server.test.tsView file
327patternName = private_key_rsa severity = critical line = 327 matchedText = const TE...----
Critical
Secret Pattern

RSA private key in src/server/agent-server.test.ts

src/server/agent-server.test.tsView on unpkg · L327

Findings

2 Critical4 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/adapters/claude/session/options.ts
CriticalSecret Patternsrc/server/agent-server.test.ts
HighChild Processdist/handoff-checkpoint.js
HighShelldist/server/agent-server.js
HighObfuscated Payload Loaderdist/server/agent-server.js
HighCross File Remote Execution Contextdist/server/agent-server.js
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarydist/claude-cli/claude
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowEvaldist/server/agent-server.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings