registry  /  @stigmer/runner  /  3.1.0

@stigmer/runner@3.1.0

Embeddable Temporal worker for the Stigmer AI agent platform — handles agent execution, workflow orchestration, and MCP server management

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 9 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 452 file(s), 3.20 MB of source, external domains: api.github.com, api.stigmer.ai, serverlessworkflow.io

Source & flagged code

2 flagged · loading source
dist/middleware/otel-spans.jsView file
41package = @stigmer/runner; repositoryIdentity = stigmer; dependency = @opentelemetry/api L41: try { L42: const api = await import("@opentelemetry/api"); L43: return api;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/middleware/otel-spans.jsView on unpkg · L41
src/activities/execute-deep-agent/__tests__/status-builder.test.tsView file
733patternName = generic_password severity = medium line = 733 matchedText = password...et",
Medium
Secret Pattern

Hardcoded password in src/activities/execute-deep-agent/__tests__/status-builder.test.ts

src/activities/execute-deep-agent/__tests__/status-builder.test.tsView on unpkg · L733

Findings

1 High4 Medium4 Low
HighCopied Package Dependency Bridgedist/middleware/otel-spans.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/activities/execute-deep-agent/__tests__/status-builder.test.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings