registry  /  @proagentstore/cli  /  0.3.3

@proagentstore/cli@0.3.3

CLI for creating, publishing, and running ProAgentStore agents

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 196 KB of source, external domains: 127.0.0.1, api.proagentstore.online, example.test, github.com, js.hcaptcha.com, mcp.proagentstore.online, proagentstore.online

Source & flagged code

4 flagged · loading source
dist/browser-runner/runner.jsView file
1import { spawnSync } from "node:child_process"; L2: import { existsSync, mkdirSync, rmSync, writeFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/browser-runner/runner.jsView on unpkg · L1
dist/browser-runner/coding/runtime.jsView file
54snapshot(sessionId) { L55: const session = this.require(sessionId); L56: const alive = session.alive;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/browser-runner/coding/runtime.jsView on unpkg · L54
dist/index.jsView file
504// src/commands/mcp.ts L505: import { spawn } from "child_process"; L506: import { Command as Command4 } from "commander"; L507: var DEFAULT_MCP_URL = "https://mcp.proagentstore.online/mcp"; L508: function buildMcpRemoteArgs(opts, extraArgs = []) { ... L513: stdio: "inherit", L514: env: process.env L515: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L504
19function writeLine(message = "") { L20: process.stdout.write(`${message} L21: `); ... L41: try { L42: manifest = JSON.parse(readFileSync(manifestPath, "utf-8")); L43: } catch { ... L70: }); L71: const hasPkg = existsSync(join(dir, "package.json")); L72: results.push({ ... L119: var __filename = fileURLToPath(import.meta.url); L120: var __dirname = dirname(__filename); L121: var TEMPLATES = ["worker", "cron", "api"];
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L19

Findings

4 High4 Medium4 Low
HighChild Processdist/browser-runner/runner.js
HighShell
HighSame File Env Network Executiondist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
MediumDynamic Requiredist/browser-runner/coding/runtime.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings