registry  /  @visiq/harness  /  0.2.3

@visiq/harness@0.2.3

VisIQ SDK — AI agent governance harness

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedTrivialUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 73.4 KB of source, external domains: api.visiqlabs.com

Source & flagged code

8 flagged · loading source
dist/index.jsView file
1patternName = private_key_rsa severity = critical line = 1 matchedText = import{r...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/index.jsView on unpkg · L1
1patternName = private_key_rsa severity = critical line = 1 matchedText = import{r...----
Critical
Secret Pattern

RSA private key in dist/index.js

dist/index.jsView on unpkg · L1
3patternName = stripe_live_secret severity = critical line = 3 matchedText = -----END...iq};
Critical
Secret Pattern

Stripe live secret key in dist/index.js

dist/index.jsView on unpkg · L3
3patternName = github_pat severity = critical line = 3 matchedText = -----END...iq};
Critical
Secret Pattern

GitHub personal access token in dist/index.js

dist/index.jsView on unpkg · L3
3patternName = aws_access_key severity = critical line = 3 matchedText = -----END...iq};
Critical
Secret Pattern

AWS access key ID in dist/index.js

dist/index.jsView on unpkg · L3
1package = @visiq/harness; repositoryIdentity = xy; dependency = @visiq/core-wasm L1: import{randomUUID as rr}from"node:crypto";import*as le from"node:fs";import*as ce from"node:path";import*as St from"node:os";import{AsyncLocalStorage as ir}from"node:async_hooks";i... L2: MIIEv\u2026
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/index.jsView on unpkg · L1
3patternName = google_api_key severity = high line = 3 matchedText = -----END...iq};
High
Secret Pattern

Google API key in dist/index.js

dist/index.jsView on unpkg · L3
1patternName = generic_password severity = medium line = 1 matchedText = import{r...----
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L1

Findings

5 Critical2 High4 Medium3 Low
CriticalCritical Secretdist/index.js
CriticalSecret Patterndist/index.js
CriticalSecret Patterndist/index.js
CriticalSecret Patterndist/index.js
CriticalSecret Patterndist/index.js
HighCopied Package Dependency Bridgedist/index.js
HighSecret Patterndist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings