registry  /  agent-dealer  /  0.1.10

agent-dealer@0.1.10

Human control plane for agent execution — queue, plan approval, audit

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 79 file(s), 816 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.linear.app, cursor.com, docs.anthropic.com, github.com, react.dev, registry.npmjs.org, slack.example, www.w3.org

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node ./dist/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./dist/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/ports.jsView file
1import { execSync } from "node:child_process"; L2: import net from "node:net";
High
Child Process

Package source references child process execution.

dist/ports.jsView on unpkg · L1
dist/start.jsView file
1import { spawn } from "node:child_process"; L2: import { loadProdEnvFile, prodEnvFilePath, prodHomeDir, resolveBundledListenPort, shortenHome, } from "./env.js"; ... L10: function isSupervisorMode(options) { L11: return options.supervisor === true || process.env.AGENT_DEALER_SUPERVISOR === "1"; L12: } ... L15: try { L16: const res = await fetch(url); L17: if (res.ok)
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/start.jsView on unpkg · L1
bundle/server/dist/runners/claude.jsView file
matchType = previous_version_dangerous_delta matchedPackage = agent-dealer@0.1.8 matchedIdentity = npm:YWdlbnQtZGVhbGVy:0.1.8 similarity = 0.736 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bundle/server/dist/runners/claude.jsView on unpkg

Findings

5 High4 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/ports.js
HighShell
HighSame File Env Network Executiondist/start.js
HighPrevious Version Dangerous Deltabundle/server/dist/runners/claude.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings