registry  /  agent-services-platform  /  1.0.0

agent-services-platform@1.0.0

MCP server exposing AI agent services — research, contract analysis, code review & data enrichment — with x402 micropayments on Base L2

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 22 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 33 file(s), 166 KB of source, external domains: agents.aiscale.pro, aiscale.pro, api.cdp.coinbase.com, api.hunter.io, base.org, company.clearbit.com, example.com, facebook.com, faucet.circle.com, finviz.com, linkedin.com, newsapi.org, sepolia.base.org, twitter.com, www.alphavantage.co, x402.org

Source & flagged code

14 flagged · loading source
dist/middleware/x402-paywall.jsView file
20patternName = private_key_ec severity = critical line = 20 matchedText = if (key....)) {
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/middleware/x402-paywall.jsView on unpkg · L20
20patternName = private_key_ec severity = critical line = 20 matchedText = if (key....)) {
Critical
Secret Pattern

EC private key in dist/middleware/x402-paywall.js

dist/middleware/x402-paywall.jsView on unpkg · L20
dist/services/sub-agents/research-synth.jsView file
6exports.researchSynthHandler = researchSynthHandler; L7: const axios_1 = __importDefault(require("axios")); L8: const sdk_1 = __importDefault(require("@anthropic-ai/sdk")); ... L25: if (!parseResult.success) { L26: res.status(400).json({ error: 'Invalid request', details: parseResult.error.errors }); L27: return; L28: } L29: const anthropicKey = process.env.ANTHROPIC_API_KEY; L30: if (!anthropicKey || anthropicKey === 'your_anthropic_api_key') {
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/services/sub-agents/research-synth.jsView on unpkg · L6
dist/utils/ssrf-guard.jsView file
6exports.SsrfError = void 0; L7: exports.isPrivateIP = isPrivateIP; L8: exports.validateUrl = validateUrl; ... L10: const util_1 = require("util"); L11: const axios_1 = __importDefault(require("axios")); L12: const dnsResolve = (0, util_1.promisify)(require('dns').resolve4); L13: const BLOCKED_HOSTS = new Set([
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/utils/ssrf-guard.jsView on unpkg · L6
dist/payments/wallet.jsView file
14patternName = private_key_ec severity = critical line = 14 matchedText = * 2. Con...CS#8
Critical
Secret Pattern

EC private key in dist/payments/wallet.js

dist/payments/wallet.jsView on unpkg · L14
15patternName = private_key_rsa severity = critical line = 15 matchedText = * (--...ires
Critical
Secret Pattern

RSA private key in dist/payments/wallet.js

dist/payments/wallet.jsView on unpkg · L15
21patternName = private_key_ec severity = critical line = 21 matchedText = if (pem....)) {
Critical
Secret Pattern

EC private key in dist/payments/wallet.js

dist/payments/wallet.jsView on unpkg · L21
dist/utils/pem.jsView file
5patternName = private_key_ec severity = critical line = 5 matchedText = * Conver...---)
Critical
Secret Pattern

EC private key in dist/utils/pem.js

dist/utils/pem.jsView on unpkg · L5
6patternName = private_key_rsa severity = critical line = 6 matchedText = * to PKC...tic,
Critical
Secret Pattern

RSA private key in dist/utils/pem.js

dist/utils/pem.jsView on unpkg · L6
16patternName = private_key_ec severity = critical line = 16 matchedText = .replace... '')
Critical
Secret Pattern

EC private key in dist/utils/pem.js

dist/utils/pem.jsView on unpkg · L16
65patternName = private_key_rsa severity = critical line = 65 matchedText = return `...\n`;
Critical
Secret Pattern

RSA private key in dist/utils/pem.js

dist/utils/pem.jsView on unpkg · L65
dist/utils/pem.d.tsView file
2patternName = private_key_ec severity = critical line = 2 matchedText = * Conver...---)
Critical
Secret Pattern

EC private key in dist/utils/pem.d.ts

dist/utils/pem.d.tsView on unpkg · L2
3patternName = private_key_rsa severity = critical line = 3 matchedText = * to PKC...tic,
Critical
Secret Pattern

RSA private key in dist/utils/pem.d.ts

dist/utils/pem.d.tsView on unpkg · L3
dist/scripts/seed-transactions.jsView file
40patternName = private_key_ec severity = critical line = 40 matchedText = if (key....)) {
Critical
Secret Pattern

EC private key in dist/scripts/seed-transactions.js

dist/scripts/seed-transactions.jsView on unpkg · L40

Findings

12 Critical2 High3 Medium5 Low
CriticalCritical Secretdist/middleware/x402-paywall.js
CriticalSecret Patterndist/middleware/x402-paywall.js
CriticalSecret Patterndist/payments/wallet.js
CriticalSecret Patterndist/payments/wallet.js
CriticalSecret Patterndist/payments/wallet.js
CriticalSecret Patterndist/utils/pem.js
CriticalSecret Patterndist/utils/pem.js
CriticalSecret Patterndist/utils/pem.js
CriticalSecret Patterndist/utils/pem.js
CriticalSecret Patterndist/utils/pem.d.ts
CriticalSecret Patterndist/utils/pem.d.ts
CriticalSecret Patterndist/scripts/seed-transactions.js
HighCredential Exfiltrationdist/services/sub-agents/research-synth.js
HighCloud Metadata Accessdist/utils/ssrf-guard.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings