registry  /  @team-agent/installer  /  0.5.1

@team-agent/installer@0.5.1

npx installer for Team Agent

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
Manifest
CopyleftLicense
scanned 2 file(s), 28.4 KB of source

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node npm/bincheck.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
crates/team-agent/src/tmux_backend/tests.rsView file
1097patternName = aws_access_key severity = critical line = 1097 matchedText = key AKIA...E\n\
Critical
Critical Secret

Package contains a critical-looking secret pattern.

crates/team-agent/src/tmux_backend/tests.rsView on unpkg · L1097
1097patternName = aws_access_key severity = critical line = 1097 matchedText = key AKIA...E\n\
Critical
Secret Pattern

AWS access key ID in crates/team-agent/src/tmux_backend/tests.rs

crates/team-agent/src/tmux_backend/tests.rsView on unpkg · L1097
1113patternName = aws_access_key severity = critical line = 1113 matchedText = !out.con...E"),
Critical
Secret Pattern

AWS access key ID in crates/team-agent/src/tmux_backend/tests.rs

crates/team-agent/src/tmux_backend/tests.rsView on unpkg · L1113
npm/install.mjsView file
1#!/usr/bin/env node L2: import { spawnSync } from "node:child_process"; L3: import fs from "node:fs"; ... L9: const modulePath = fileURLToPath(import.meta.url); L10: const __dirname = path.dirname(modulePath); L11: const packageRoot = path.resolve(__dirname, ".."); L12: const require = createRequire(import.meta.url); L13: const packageJson = JSON.parse(fs.readFileSync(path.join(packageRoot, "package.json"), "utf8")); L14: const DOCTOR_TIMEOUT_MS = 5000; ... L130: const runtimeRoot = path.resolve(expandHome(opts.runtimeDir || path.join(os.homedir(), ".team-agent", "runtime"))); L131: const installTarget = resolveInstallBinDir({ env: process.env, home: os.homedir(), prefix: opts.prefix }); L132: const binDir = installTarget.binDir;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

npm/install.mjsView on unpkg · L1

Findings

3 Critical1 High3 Medium4 Low
CriticalCritical Secretcrates/team-agent/src/tmux_backend/tests.rs
CriticalSecret Patterncrates/team-agent/src/tmux_backend/tests.rs
CriticalSecret Patterncrates/team-agent/src/tmux_backend/tests.rs
HighInstall Time Lifecycle Scriptspackage.json
MediumEnvironment Vars
MediumInstall Persistencenpm/install.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowCopyleft License