registry  /  @reactive-agents/cli  /  0.13.5

@reactive-agents/cli@0.13.5

rax — the Reactive Agents CLI for scaffolding, running, and inspecting AI agents

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 1 file(s), 204 KB of source, external domains: 127.0.0.1, agent.example.com, aistudio.google.com, blog.example.com, cloud.digitalocean.com, cloud.google.com, console.anthropic.com, dashboard.render.com, docs.digitalocean.com, docs.docker.com, docs.reactiveagents.dev, example.io, fly.io, github.com, hacker-news.firebaseio.com, hashnode.example.dev, news.ycombinator.com, openai.com, platform.openai.com, railway.com, render.com

Source & flagged code

6 flagged · loading source
dist/index.jsView file
575import { join as join4, resolve } from "path"; L576: import { spawnSync } from "child_process"; L577: var HELP3 = `
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L575
4903entrypoint: > L4904: sh -c "sleep 10 && curl -s http://ollama:11434/api/pull -d '{"name": "qwen3:14b"}'" L4905:
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L4903
4627function getRegion() { L4628: return process.env.GCP_REGION ?? DEPLOY_DEFAULTS.regions.cloudrun; L4629: } ... L4631: try { L4632: const out = exec("gcloud auth list --filter=status:ACTIVE --format='value(account)' 2>/dev/null"); L4633: return out.trim().length > 0; ... L4641: cliNames: ["gcloud"], L4642: installHint: "https://cloud.google.com/sdk/docs/install", L4643: preflight(ctx) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L4627
2699package = @reactive-agents/cli; repositoryIdentity = reactive-agents-ts; dependency = @reactive-agents/a2a L2699: } L2700: const { generateAgentCard } = await import("@reactive-agents/a2a"); L2701: const agentCard = generateAgentCard({
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/index.jsView on unpkg · L2699
4218try { L4219: const out = exec("railway whoami 2>/dev/null"); L4220: return out.length > 0; ... L4228: cliNames: ["railway"], L4229: installHint: "npm install -g @railway/cli", L4230: preflight(ctx) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L4218
669try { L670: benchmarks = await import("@reactive-agents/benchmarks"); L671: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L669

Findings

5 High5 Medium4 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighCopied Package Dependency Bridgedist/index.js
HighRuntime Package Installdist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings