registry  /  @tonyclaw/agent-inspector  /  2.1.14

@tonyclaw/agent-inspector@2.1.14

Agent observability and knowledge capture layer for AI coding tools.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
WildcardDependency
scanned 232 file(s), 1.56 MB of source, external domains: 127.0.0.1, api-docs.deepseek.com, api.anthropic.com, api.deepseek.com, api.example.com, api.groq.com, api.minimaxi.com, api.openai.com, api.together.xyz, dashscope.aliyuncs.com, docs.bigmodel.cn, example.com, huggingface.co, mimo.xiaomi.com, nodejs.org, open.bigmodel.cn, opencode.ai, openrouter.ai, platform.minimaxi.com, www.w3.org

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/setup-windows-runtime.mjs && node scripts/setup-agent-skills.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/setup-windows-runtime.mjs && node scripts/setup-agent-skills.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts/setup-windows-runtime.mjsView file
6L7: const require = createRequire(import.meta.url); L8: const scriptDir = dirname(fileURLToPath(import.meta.url));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scripts/setup-windows-runtime.mjsView on unpkg · L6
src/proxy/alerts.tsView file
52evidence: AlertEvidenceLink[]; L53: metadata: Record<string, JsonValue>; L54: };
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/proxy/alerts.tsView on unpkg · L52
src/assets/agent-inspector.icoView file
path = src/assets/agent-inspector.ico kind = high_entropy_blob sizeBytes = 14586 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/assets/agent-inspector.icoView on unpkg
src/cli.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @tonyclaw/agent-inspector@2.1.8 matchedIdentity = npm:[redacted]:2.1.8 similarity = 0.767 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/cli.tsView on unpkg

Findings

3 High6 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobsrc/assets/agent-inspector.ico
HighPrevious Version Dangerous Deltasrc/cli.ts
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirescripts/setup-windows-runtime.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptosrc/proxy/alerts.ts
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings