registry  /  @stigmer/runner  /  3.1.2

@stigmer/runner@3.1.2

Embeddable Temporal worker for the Stigmer AI agent platform — handles agent execution, workflow orchestration, and MCP server management

Static Scan Results

scanned 21h ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 462 file(s), 3.29 MB of source, external domains: api.github.com, api.stigmer.ai, serverlessworkflow.io

Source & flagged code

3 flagged · loading source
dist/middleware/otel-spans.jsView file
41package = @stigmer/runner; repositoryIdentity = stigmer; dependency = @opentelemetry/api L41: try { L42: const api = await import("@opentelemetry/api"); L43: return api;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/middleware/otel-spans.jsView on unpkg · L41
dist/runner-manager.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @stigmer/runner@3.1.1 matchedIdentity = npm:QHN0aWdtZXIvcnVubmVy:3.1.1 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/runner-manager.jsView on unpkg
src/activities/execute-deep-agent/__tests__/status-builder.test.tsView file
733patternName = generic_password severity = medium line = 733 matchedText = password...et",
Medium
Secret Pattern

Hardcoded password in src/activities/execute-deep-agent/__tests__/status-builder.test.ts

src/activities/execute-deep-agent/__tests__/status-builder.test.tsView on unpkg · L733

Findings

2 High4 Medium4 Low
HighCopied Package Dependency Bridgedist/middleware/otel-spans.js
HighPrevious Version Dangerous Deltadist/runner-manager.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/activities/execute-deep-agent/__tests__/status-builder.test.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings