registry  /  @promptbook/browser  /  0.113.0-4

@promptbook/browser@0.113.0-4

Promptbook: Create persistent AI agents that turn your company's scattered knowledge into action

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.07 MB of source, external domains: api.github.com, calendar.google.com, example.com, github.com, legal-db.example.com, linkedin.com, openai.com, platform.openai.com, promptbook.studio, pseudo-agent.promptbook, ptbk.io, s6.ptbk.io, serpapi.com, twitter.com, www.googleapis.com

Source & flagged code

4 flagged · loading source
esm/index.es.jsView file
29729name: 'agent-file-import-plugin', L29730: canImport(mimeType) { L29731: // [🧠] Should we have a specific MIME type for agent books?
Medium
Dynamic Require

Package source references dynamic require/import behavior.

esm/index.es.jsView on unpkg · L29729
27207try { L27208: eval(script); // <- TODO: Use `JavascriptExecutionTools.execute` here L27209: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

esm/index.es.jsView on unpkg · L27207
umd/index.umd.jsView file
3typeof define === 'function' && define.amd ? define(['exports', 'spacetrim', 'destroyable', 'rxjs', 'crypto-js', 'crypto-js/enc-hex', 'path', 'crypto', 'moment', 'mime-types', 'wai... L4: (global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global["promptbook-browser"] = {}, global.spacetrim, global.destroyable, global.rxjs, global.Cryp... L5: })(this, (function (exports, spacetrim, destroyable, rxjs, CryptoJS, hexEncoder, path, crypto, moment, mimeTypes, waitasecond, sha256, papaparse, agents, colors, Bottleneck, OpenAI...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

umd/index.umd.jsView on unpkg · L3
package.jsonView file
Runtime dependency names matching Node built-ins: crypto
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

2 High4 Medium4 Low
HighObfuscated Payload Loaderumd/index.umd.js
HighNode Builtin Dependency Squatpackage.json
MediumDynamic Requireesm/index.es.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowEvalesm/index.es.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings