registry  /  @vercel/agent-eval  /  1.2.0

@vercel/agent-eval@1.2.0

Framework for testing AI coding agents in isolated sandboxes

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an AI agent evaluation framework that runs selected agents in Docker/Vercel sandboxes and writes eval results/project scaffolds during explicit CLI workflows.

Static reason
One or more suspicious static signals were detected.
Trigger
User invokes agent-eval commands or imports the library API.
Impact
Runs configured coding agents against eval fixtures and records outputs; no install-time mutation or stealth persistence found.
Mechanism
User-invoked sandbox orchestration and result/project file generation
Rationale
Static inspection shows suspicious primitives are package-aligned and activated by explicit CLI/eval workflows, with sandbox-scoped agent setup rather than install-time foreign agent control-surface hijacking. No evidence of credential exfiltration, persistence, destructive behavior outside result housekeeping, or remote payload execution at install/import time was found.
Evidence
package.jsondist/cli.jsdist/lib/init.jsdist/lib/config.jsdist/lib/sandbox.jsdist/lib/agents/shared.jsdist/lib/agents/plugin/orchestrator.jsdist/lib/agents/codex/agent.jsdist/lib/agents/codex/run.mjsdist/lib/agents/claude-code/run.mjsdist/lib/agents/cursor/agent.jsdist/lib/agents/opencode/agent.js
Network endpoints7
ai-gateway.vercel.shai-gateway.vercel.sh/v1api.openai.com/v1vercel.com/dashboardvercel.com/account/tokensgithub.com/vercel-labs/agent-evalcursor.com/install

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall/prepare hook; only prepublishOnly build for publisher use.
    • dist/cli.js actions are user-invoked CLI commands; npx playground launch is explicit.
    • dist/lib/agents/*/run.mjs spawn agent CLIs inside orchestrated sandbox runners, not import/install time.
    • dist/lib/agents/codex/agent.js writes ~/.codex/default.config.toml via sandbox setup for the selected Codex agent.
    • dist/lib/init.js only scaffolds files under a user-requested project directory.
    • No credential harvesting or exfiltration endpoints found; env vars are checked/passed to configured agents.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 40 file(s), 302 KB of source, external domains: ai-gateway.vercel.sh, api.openai.com, cursor.com, github.com, opencode.ai, vercel.com

    Source & flagged code

    5 flagged · loading source
    dist/lib/agents/claude-code/run.mjsView file
    21L22: import { spawnSync } from 'node:child_process'; L23: import { mkdirSync, readdirSync, readFileSync, statSync, writeFileSync } from 'node:fs';
    High
    Child Process

    Package source references child process execution.

    dist/lib/agents/claude-code/run.mjsView on unpkg · L21
    dist/lib/agents/codex/run.mjsView file
    196*/ L197: export function buildCodexExecArgs(input) { L198: const extra = input.extra ?? {};
    High
    Shell

    Package source references shell execution.

    dist/lib/agents/codex/run.mjsView on unpkg · L196
    dist/cli.jsView file
    233// Try to run the playground package directly, fall back to npx L234: const result = spawnSync('npx', ['@vercel/agent-eval-playground', ...playgroundArgs], { stdio: 'inherit', cwd: process.cwd() }); L235: process.exit(result.status ?? 1);
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/cli.jsView on unpkg · L233
    109if (models.length > 1) { L110: console.log(chalk.blue(`\nRunning ${smokeEvalNames.length} eval(s) x ${smokeRuns} run(s) x ${models.length} model(s) = ${totalRuns} total runs`)); L111: console.log(chalk.blue(`Agent: ${config.agent}, Models: ${models.join(', ')}, Timeout: ${config.timeout}s, Early Exit: ${config.earlyExit}`));
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/cli.jsView on unpkg · L109
    dist/lib/config.jsView file
    111if (configPath.endsWith('.ts')) { L112: const { createJiti } = await import('jiti'); L113: const jiti = createJiti(import.meta.url, {
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/lib/config.jsView on unpkg · L111

    Findings

    3 High3 Medium6 Low
    HighChild Processdist/lib/agents/claude-code/run.mjs
    HighShelldist/lib/agents/codex/run.mjs
    HighRuntime Package Installdist/cli.js
    MediumDynamic Requiredist/lib/config.js
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowEvaldist/cli.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings