registry  /  agent-device  /  0.18.3

agent-device@0.18.3

Agent-native CLI for AI app automation across iOS, Android, tvOS, Android TV, macOS, Linux, and web.

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 17 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 87 file(s), 1.42 MB of source, external domains: 127.0.0.1, api-cloud.browserstack.com, cloud.agent-device.dev, example.com, example.trycloudflare.com, github.com, hub-cloud.browserstack.com, registry.npmjs.org

Source & flagged code

9 flagged · loading source
dist/src/7871.jsView file
1patternName = generic_password severity = medium line = 1 matchedText = import e...al};
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/src/7871.jsView on unpkg · L1
bin/agent-device.mjsView file
17L18: await import(pathToFileURL(distPath).href);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/agent-device.mjsView on unpkg · L17
dist/src/5913.jsView file
1import e from"node:crypto";import t from"node:fs";import n from"node:path";import{AppError as r}from"./485.js";import{resolveUserPath as o,expandUserHomePath as s}from"./9612.js";i... L2: `}function z(e){return`${JSON.stringify({type:"response",response:e})}
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/src/5913.jsView on unpkg · L1
src/platforms/linux/atspi-dump.pyView file
path = src/platforms/linux/atspi-dump.py kind = build_helper sizeBytes = 8177 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/platforms/linux/atspi-dump.pyView on unpkg
android-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.3.apkView file
path = android-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.3.apk kind = high_entropy_blob sizeBytes = 16811 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

android-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.3.apkView on unpkg
path = android-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.3.apk kind = compressed_blob sizeBytes = 16811 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

android-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.3.apkView on unpkg
path = android-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.3.apk kind = nested_archive_needs_inspection sizeBytes = 16811 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

android-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.3.apkView on unpkg
dist/src/8875.jsView file
matchType = previous_version_dangerous_delta matchedPackage = agent-device@0.18.1 matchedIdentity = npm:YWdlbnQtZGV2aWNl:0.18.1 similarity = 0.732 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/8875.jsView on unpkg
dist/src/485.jsView file
1patternName = generic_password severity = medium line = 1 matchedText = let e=/(...de};
Medium
Secret Pattern

Hardcoded password in dist/src/485.js

dist/src/485.jsView on unpkg · L1

Findings

2 High8 Medium7 Low
HighShips High Entropy Blobandroid-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.3.apk
HighPrevious Version Dangerous Deltadist/src/8875.js
MediumSecret Patterndist/src/7871.js
MediumDynamic Requirebin/agent-device.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpersrc/platforms/linux/atspi-dump.py
MediumShips Compressed Blobandroid-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.3.apk
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/src/485.js
LowScripts Present
LowWeak Cryptodist/src/5913.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionandroid-snapshot-helper/dist/agent-device-android-snapshot-helper-0.18.3.apk