registry  /  @rdk-moss/agent  /  0.5.3

@rdk-moss/agent@0.5.3

Moss Agent: a cross-platform agent harness by D-Robotics for daily coding & office work, with robotics capabilities as pluggable skills. Embeddable; bring your own persona, tools, and model.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 616 file(s), 4.49 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.bochaai.com, api.deepseek.com, api.exa.ai, api.openai.com, api.search.brave.com, blog.google, cdn.jsdelivr.net, dashscope.aliyuncs.com, duckduckgo.com, example.com, github.blog, github.com, google.com, html.duckduckgo.com, huggingface.co, lite.duckduckgo.com, nodejs.org, openai.com, registry.npmjs.org, sso.d-robotics.cc, stackoverflow.blog, www.36kr.com, www.anthropic.com, www.baidu.com, www.bing.com, www.roboticsbusinessreview.com, www.zhihu.com, your-gateway.example

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = node -e "const fs=require('fs');try{fs.chmodSync('dist/cli.js',0o755)}catch{}"
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node -e "const fs=require('fs');try{fs.chmodSync('dist/cli.js',0o755)}catch{}"
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli/device-connect.jsView file
57patternName = generic_password severity = medium line = 57 matchedText = password...th);
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/cli/device-connect.jsView on unpkg · L57
dist/eval/eval-tool.jsView file
166if (!input.suiteName) { L167: return 'Error: suiteName is required when using responses array. Example: eval(action="run", suiteName="my_suite", responses=[...])'; L168: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/eval/eval-tool.jsView on unpkg · L166
dist/core/agent/moss-agent.jsView file
990const observerModule = '../../run-observer/index.js'; L991: void import(observerModule).then((mod) => mod?.onRunCompleted?.(summary)).catch(() => { }); L992: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/core/agent/moss-agent.jsView on unpkg · L990
dist/skill-learning/conversation-skill-learner.jsView file
14function readAutoMode() { L15: const raw = String(process.env.RDK_MOSS_AUTO_CONVERSATION_SKILL ?? '') L16: .trim() ... L357: try { L358: parsed = JSON.parse(raw); L359: }
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/skill-learning/conversation-skill-learner.jsView on unpkg · L14
dist/tools/browser-tools.jsView file
159package = @rdk-moss/agent; repositoryIdentity = moss; dependency = puppeteer-core L159: try { L160: const puppeteer = await import('puppeteer-core'); L161: const args = ['--disable-dev-shm-usage'];
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/tools/browser-tools.jsView on unpkg · L159
assets/rdk-knowledge/skills/rdk-model-zoo/scripts/branch_selector.pyView file
path = assets/rdk-knowledge/skills/rdk-model-zoo/scripts/branch_selector.py kind = build_helper sizeBytes = 4045 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

assets/rdk-knowledge/skills/rdk-model-zoo/scripts/branch_selector.pyView on unpkg
dist/cli-main.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @rdk-moss/agent@0.5.2 matchedIdentity = npm:QHJkay1tb3NzL2FnZW50:0.5.2 similarity = 0.633 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli-main.jsView on unpkg
src/cli/device-connect.tsView file
85patternName = generic_password severity = medium line = 85 matchedText = password...th);
Medium
Secret Pattern

Hardcoded password in src/cli/device-connect.ts

src/cli/device-connect.tsView on unpkg · L85

Findings

3 High8 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighCopied Package Dependency Bridgedist/tools/browser-tools.js
HighPrevious Version Dangerous Deltadist/cli-main.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patterndist/cli/device-connect.js
MediumDynamic Requiredist/core/agent/moss-agent.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperassets/rdk-knowledge/skills/rdk-model-zoo/scripts/branch_selector.py
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/cli/device-connect.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/eval/eval-tool.js
LowWeak Cryptodist/skill-learning/conversation-skill-learner.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings