registry  /  agentiqa  /  1.1.19

agentiqa@1.1.19

⚠ Under review

AI-powered testing for web and mobile apps

Static Scan Results

scanned 11d ago · by rust-scanner

Static analysis flagged 18 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 2 file(s), 1.04 MB of source, external domains: agentiqa.com, ai-gateway.vercel.sh, ai-sdk.dev, api.vercel.com, deb.nodesource.com, example.com, generativelanguage.googleapis.com, github.com, google.aip.dev, json-schema.org, raw.githubusercontent.com, vercel.com, your-app.com

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = npx playwright install chromium 2>/dev/null || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = node scripts/preinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts.postinstall = npx playwright install chromium 2>/dev/null || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli.jsView file
1#!/usr/bin/env node L2: var Yw=Object.create;var rd=Object.defineProperty;var Kw=Object.getOwnPropertyDescriptor;var Jw=Object.getOwnPropertyNames;var Qw=Object.getPrototypeOf,Xw=Object.prototype.hasOwnPr... L3: ${t.message}`),n?new nI.VercelOidcTokenError(n):t}return r}function cc(){let r=(0,rI.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!r)throw new E... L4: `))}async uploadScreenshot(e,t){let n=lr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:t}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics... ... L231: Current URL: ${g.url}`)+` L232: OS: ${p}${b}`),{env:g,contextText:w}}var ad=["google.com","youtube.com","claude.ai","chatgpt.com","openai.com","gemini.google.com","bing.com","duckduckgo.com","wikipedia.org","face... L233: - After submitting the signup form, call check_email, click the verification link (or read the verification code and submit it), and confirm verified state before completing. ... L1558: L1559: `})}return{systemInstruction:o.length>0&&!l?{parts:o}:void 0,contents:i}}function ib(r){return r.includes("/")?r:`models/${r}`}var ab=Z(()=>Q(st.object({responseModalities:st.array... L1
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/cli.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/cli.js L1: #!/usr/bin/env node L2: var Yw=Object.create;var rd=Object.defineProperty;var Kw=Object.getOwnPropertyDescriptor;var Jw=Object.getOwnPropertyNames;var Qw=Object.getPrototypeOf,Xw=Object.prototype.hasOwnPr... L3: ${t.message}`),n?new nI.VercelOidcTokenError(n):t}return r}function cc(){let r=(0,rI.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!r)throw new E... L4: `))}async uploadScreenshot(e,t){let n=lr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:t}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics... ... L231: Current URL: ${g.url}`)+` L232: OS: ${p}${b}`),{env:g,contextText:w}}var ad=["google.com","youtube.com","claude.ai","chatgpt.com","openai.com","gemini.google.com","bing.com","duckduckgo.com","wikipedia.org","face... L233: - After submitting the signup form, call check_email, click the verification link (or read the verification code and submit it), and confirm verified state before completing. ... L1558: L1559: `})}return{systemInstruction:o.length>0&&!l?{parts:o}:void 0,contents:i}}function ib(r){return r.includes("/")?r:`models/${r}`}var a…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.jsView on unpkg · L1
2var Yw=Object.create;var rd=Object.defineProperty;var Kw=Object.getOwnPropertyDescriptor;var Jw=Object.getOwnPropertyNames;var Qw=Object.getPrototypeOf,Xw=Object.prototype.hasOwnPr... L3: ${t.message}`),n?new nI.VercelOidcTokenError(n):t}return r}function cc(){let r=(0,rI.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!r)throw new E... L4: `))}async uploadScreenshot(e,t){let n=lr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:t}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics...
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L2
1#!/usr/bin/env node L2: var Yw=Object.create;var rd=Object.defineProperty;var Kw=Object.getOwnPropertyDescriptor;var Jw=Object.getOwnPropertyNames;var Qw=Object.getPrototypeOf,Xw=Object.prototype.hasOwnPr... L3: ${t.message}`),n?new nI.VercelOidcTokenError(n):t}return r}function cc(){let r=(0,rI.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!r)throw new E... L4: `))}async uploadScreenshot(e,t){let n=lr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:t}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L1
1554${JSON.stringify({status:b,error:_,summary:`${h?"Interrupted":m?"Timed out":"Failed"} after ${Math.round(u/1e3)}s: ${_}`,partialFindings:T,duration_ms:u})} L1555: [/CHILD_RESULT]`;this.injectChildResult(e,I)}finally{l&&clearTimeout(l),a&&this.activeChildren.delete(a);let c=`${this.sessionId}:${e}`;this.deps.computerUseService?.clearCredentia... L1556: ... L1558: L1559: `})}return{systemInstruction:o.length>0&&!l?{parts:o}:void 0,contents:i}}function ib(r){return r.includes("/")?r:`models/${r}`}var ab=Z(()=>Q(st.object({responseModalities:st.array... L1560: ${r.stack??""}`;if(typeof r=="string")return r;try{return JSON.stringify(r)}catch{return String(r)}}function Pb(r){return ar(Ob(r))}function sD(r,e){let{provider:t}=kl(r);return t=... L1561: `)}function vt(r,e){process.stdout.write(JSON.stringify({ok:!1,schemaVersion:Wb,error:{code:r,message:e}})+` L1562: `)}import{createServer as SL}from"node:net";import{createRequire as TL}from"node:module";import{appendFileSync as xL}from"node:fs";import{inspect as IL}from"node:util";import Au fr... L1563: `,"utf8")}catch{}}async flush(){}destroy(){}};var Fa=class{store=new Map;async get(e){return this.store.get(e)??null}async save(e,
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1554
1#!/usr/bin/env node L2: var Yw=Object.create;var rd=Object.defineProperty;var Kw=Object.getOwnPropertyDescriptor;var Jw=Object.getOwnPropertyNames;var Qw=Object.getPrototypeOf,Xw=Object.prototype.hasOwnPr... L3: ${t.message}`),n?new nI.VercelOidcTokenError(n):t}return r}function cc(){let r=(0,rI.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!r)throw new E... L4: `))}async uploadScreenshot(e,t){let n=lr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:t}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics... ... L231: Current URL: ${g.url}`)+` L232: OS: ${p}${b}`),{env:g,contextText:w}}var ad=["google.com","youtube.com","claude.ai","chatgpt.com","openai.com","gemini.google.com","bing.com","duckduckgo.com","wikipedia.org","face... L233: - After submitting the signup form, call check_email, click the verification link (or read the verification code and submit it), and confirm verified state before completing. ... L1558: L1559: `})}return{systemInstruction:o.length>0&&!l?{parts:o}:void 0,contents:i}}function ib(r){return r.includes("/")?r:`models/${r}`}var ab=Z(()=>Q(st.object({responseModalities:st.array... L1
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: var Yw=Object.create;var rd=Object.defineProperty;var Kw=Object.getOwnPropertyDescriptor;var Jw=Object.getOwnPropertyNames;var Qw=Object.getPrototypeOf,Xw=Object.prototype.hasOwnPr... L3: ${t.message}`),n?new nI.VercelOidcTokenError(n):t}return r}function cc(){let r=(0,rI.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!r)throw new E... L4: `))}async uploadScreenshot(e,t){let n=lr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:t}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics... ... L366: L367: This is a client-side timeout. To resolve this, increase your timeout configuration: https://vercel.com/docs/ai-gateway/capabilities/video-generation#extending-timeouts-for-node.js... L368:
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/cli.jsView on unpkg · L1

Findings

2 Critical6 High5 Medium5 Low
CriticalCredential Exfiltrationdist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighRemote Agent Bridgedist/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License