registry  /  @ss-dev-x/agentdeck  /  2.3.0

@ss-dev-x/agentdeck@2.3.0

Agents Deck — a local web UI over the `claude agents` workflow (live terminals, split deck, integrated shells).

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 890 KB of source, external domains: api.anthropic.com, claude.ai, github.com, reactjs.org, www.w3.org

Source & flagged code

4 flagged · loading source
dist-server/index.jsView file
1var $t=Object.defineProperty;var Jt=(e,t,n)=>()=>{if(n)throw n[0];try{return e&&(t=e(e=0)),t}catch(s){throw n=[s],s}};var Rt=(e,t)=>{for(var n in t)$t(e,n,{get:t[n],enumerable:!0})... L2: `);d>=0&&(a=a.slice(d+1))}return a}finally{await n.close()}}async function Ge(e,t,n=2e6){let s;try{s=await Ke(e,n)}catch{return[]}let r=[];for(let i of s.split(`
High
Child Process

Package source references child process execution.

dist-server/index.jsView on unpkg · L1
1var $t=Object.defineProperty;var Jt=(e,t,n)=>()=>{if(n)throw n[0];try{return e&&(t=e(e=0)),t}catch(s){throw n=[s],s}};var Rt=(e,t)=>{for(var n in t)$t(e,n,{get:t[n],enumerable:!0})... L2: `);d>=0&&(a=a.slice(d+1))}return a}finally{await n.close()}}async function Ge(e,t,n=2e6){let s;try{s=await Ke(e,n)}catch{return[]}let r=[];for(let i of s.split(`
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist-server/index.jsView on unpkg · L1
matchType = previous_version_dangerous_delta matchedPackage = @ss-dev-x/agentdeck@2.1.0 matchedIdentity = npm:QHNzLWRldi14L2FnZW50ZGVjaw:2.1.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist-server/index.jsView on unpkg
bin/agentdeck.mjsView file
61let out = ""; L62: const p = spawn(`npm view ${PKG} version`, { cwd: ROOT, shell: true, windowsHide: true }); L63: p.stdout?.on("data", (d) => (out += d));
High
Shell

Package source references shell execution.

bin/agentdeck.mjsView on unpkg · L61

Findings

5 High3 Medium6 Low
HighChild Processdist-server/index.js
HighShellbin/agentdeck.mjs
HighSame File Env Network Executiondist-server/index.js
HighObfuscated
HighPrevious Version Dangerous Deltadist-server/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License