registry  /  @webpresso/agent-kit  /  2.5.0

@webpresso/agent-kit@2.5.0

TypeScript-first agent harness for guarded develop/deploy workflows: wp CLI gates, MCP tools, hooks, memory, worktrees, secrets, audits, and evidence checks.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis completed at 93.0% confidence. No malicious behavior was detected; 12 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 683 file(s), 3.18 MB of source, external domains: api.webpresso.io, bun.sh, developers.openai.com, github.com, json.schemastore.org, raw.githubusercontent.com, registry.npmjs.org, telemetry.webpresso.dev

Source & flagged code

3 flagged · loading source
dist/esm/config/oxlint/tier-boundaries.jsView file
14try { L15: const packageBoundaryModule = await import(packageBoundaryModuleUrl.href); L16: return packageBoundaryModule.PACKAGE_TIERS ?? FALLBACK_PACKAGE_TIERS;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/esm/config/oxlint/tier-boundaries.jsView on unpkg · L14
dist/esm/audit/weakness-mining/index.jsView file
6import { readPretoolEvidence, } from "./read-pretool-log.js"; L7: export async function auditWeaknessMining(rootDirectory = process.cwd(), options = {}) { L8: const report = mineWeaknesses(rootDirectory, options);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/esm/audit/weakness-mining/index.jsView on unpkg · L6
dist/esm/tool-runtime/resolve-runner.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @webpresso/agent-kit@2.4.3 matchedIdentity = npm:QHdlYnByZXNzby9hZ2VudC1raXQ:2.4.3 similarity = 0.617 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/esm/tool-runtime/resolve-runner.jsView on unpkg

Findings

1 High5 Medium6 Low
HighPrevious Version Dangerous Deltadist/esm/tool-runtime/resolve-runner.js
MediumDynamic Requiredist/esm/config/oxlint/tier-boundaries.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/esm/audit/weakness-mining/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings