registry  /  @webpresso/agent-kit  /  2.4.5

@webpresso/agent-kit@2.4.5

⚠ Under review

TypeScript-first agent harness for guarded develop/deploy workflows: wp CLI gates, MCP tools, hooks, memory, worktrees, secrets, audits, and evidence checks.

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 655 file(s), 3.11 MB of source, external domains: api.webpresso.io, bun.sh, developers.openai.com, github.com, mcp.context7.com, raw.githubusercontent.com, registry.npmjs.org, telemetry.webpresso.dev

Source & flagged code

4 flagged · loading source
dist/esm/config/oxlint/tier-boundaries.jsView file
14try { L15: const packageBoundaryModule = await import(packageBoundaryModuleUrl.href); L16: return packageBoundaryModule.PACKAGE_TIERS ?? FALLBACK_PACKAGE_TIERS;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/esm/config/oxlint/tier-boundaries.jsView on unpkg · L14
dist/esm/audit/weakness-mining/index.jsView file
6import { readPretoolEvidence, } from "./read-pretool-log.js"; L7: export async function auditWeaknessMining(rootDirectory = process.cwd(), options = {}) { L8: const report = mineWeaknesses(rootDirectory, options);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/esm/audit/weakness-mining/index.jsView on unpkg · L6
catalog/agent/skills/systematic-debugging/find-polluter.shView file
path = catalog/agent/skills/systematic-debugging/find-polluter.sh kind = build_helper sizeBytes = 1528 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

catalog/agent/skills/systematic-debugging/find-polluter.shView on unpkg
dist/esm/cli/commands/blueprint/mutations.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @webpresso/agent-kit@2.4.3 matchedIdentity = npm:QHdlYnByZXNzby9hZ2VudC1raXQ:2.4.3 similarity = 0.942 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/esm/cli/commands/blueprint/mutations.jsView on unpkg

Findings

1 Critical6 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/esm/cli/commands/blueprint/mutations.js
MediumDynamic Requiredist/esm/config/oxlint/tier-boundaries.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helpercatalog/agent/skills/systematic-debugging/find-polluter.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/esm/audit/weakness-mining/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings