registry  /  @tangle-network/sandbox  /  0.9.6

@tangle-network/sandbox@0.9.6

⚠ Under review

Client SDK for the Tangle Sandbox platform - build AI agent applications with dev containers

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 9 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 441 KB of source, external domains: bootstrap.pypa.io, intelligence.tangle.tools, micro.mamba.pm, router.tangle.tools, rpc.tangle.tools

Source & flagged code

3 flagged · loading source
dist/client-vBERsxhj.jsView file
128const reserved = Object.keys(metadata).find((key) => key.startsWith(RESERVED_METADATA_PREFIX)); L129: if (reserved) throw new ValidationError(`${label} metadata key '${reserved}' is reserved by Tangle`, { metadata: "reserved" }); L130: } ... L309: } L310: async exec(machineId, command, options) { L311: const [result] = await this.dispatchExec(command, { ... L322: async dispatchExecDetailed(command, options) { L323: const response = await this.client.fetch(`/v1/fleets/${this.fleetId}/dispatch`, { L324: method: "POST", ... L327: if (!response.ok) { L328: const body = await response.text(); L329: throw parseErrorResponse(response.status, body, void 0, response.headers);
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/client-vBERsxhj.jsView on unpkg · L128
128Trigger-reachable chain: manifest.main -> dist/index.js -> dist/client-vBERsxhj.js L128: const reserved = Object.keys(metadata).find((key) => key.startsWith(RESERVED_METADATA_PREFIX)); L129: if (reserved) throw new ValidationError(`${label} metadata key '${reserved}' is reserved by Tangle`, { metadata: "reserved" }); L130: } ... L309: } L310: async exec(machineId, command, options) { L311: const [result] = await this.dispatchExec(command, { ... L322: async dispatchExecDetailed(command, options) { L323: const response = await this.client.fetch(`/v1/fleets/${this.fleetId}/dispatch`, { L324: method: "POST", ... L327: if (!response.ok) { L328: const body = await response.text(); L329: throw parseErrorResponse(response.status, body, void 0, response.headers);
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/client-vBERsxhj.jsView on unpkg · L128
991const [{ existsSync, readFileSync }, { homedir }, { join }] = await Promise.all([ L992: import("node:fs"), L993: import("node:os"),
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/client-vBERsxhj.jsView on unpkg · L991

Findings

2 Critical3 Medium4 Low
CriticalCredential Exfiltrationdist/client-vBERsxhj.js
CriticalTrigger Reachable Dangerous Capabilitydist/client-vBERsxhj.js
MediumDynamic Requiredist/client-vBERsxhj.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings