registry  /  agentiqa  /  1.1.23

agentiqa@1.1.23

⚠ Under review

AI-powered testing for web and mobile apps

Static Scan Results

scanned 10d ago · by rust-scanner

Static analysis flagged 18 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 2 file(s), 1.09 MB of source, external domains: agentiqa.com, ai-gateway.vercel.sh, ai-sdk.dev, api.vercel.com, deb.nodesource.com, example.com, generativelanguage.googleapis.com, github.com, google.aip.dev, json-schema.org, raw.githubusercontent.com, vercel.com, your-app.com

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = npx playwright install chromium 2>/dev/null || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = node scripts/preinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts.postinstall = npx playwright install chromium 2>/dev/null || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli.jsView file
1#!/usr/bin/env node L2: var SS=Object.create;var fd=Object.defineProperty;var TS=Object.getOwnPropertyDescriptor;var xS=Object.getOwnPropertyNames;var IS=Object.getPrototypeOf,kS=Object.prototype.hasOwnPr... L3: ${t.message}`),n?new L0.VercelOidcTokenError(n):t}return r}function hc(){let r=(0,D0.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!r)throw new E... L4: `))}async uploadScreenshot(e,t){let n=cr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:t}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics... ... L231: Current URL: ${g.url}`)+` L232: OS: ${p}${v}`),{env:g,contextText:S}}var _d=["google.com","youtube.com","claude.ai","chatgpt.com","openai.com","gemini.google.com","bing.com","duckduckgo.com","wikipedia.org","face... L233: - After submitting the signup form, call check_email, click the verification link (or read the verification code and submit it), and confirm verified state before completing. ... L1616: L1617: `})}return{systemInstruction:o.length>0&&!l?{parts:o}:void 0,contents:i}}function Nb(r){return r.includes("/")?r:`models/${r}`}var Db=ee(()=>X(st.object({responseModalities:st.arra... L1
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/cli.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/cli.js L1: #!/usr/bin/env node L2: var SS=Object.create;var fd=Object.defineProperty;var TS=Object.getOwnPropertyDescriptor;var xS=Object.getOwnPropertyNames;var IS=Object.getPrototypeOf,kS=Object.prototype.hasOwnPr... L3: ${t.message}`),n?new L0.VercelOidcTokenError(n):t}return r}function hc(){let r=(0,D0.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!r)throw new E... L4: `))}async uploadScreenshot(e,t){let n=cr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:t}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics... ... L231: Current URL: ${g.url}`)+` L232: OS: ${p}${v}`),{env:g,contextText:S}}var _d=["google.com","youtube.com","claude.ai","chatgpt.com","openai.com","gemini.google.com","bing.com","duckduckgo.com","wikipedia.org","face... L233: - After submitting the signup form, call check_email, click the verification link (or read the verification code and submit it), and confirm verified state before completing. ... L1616: L1617: `})}return{systemInstruction:o.length>0&&!l?{parts:o}:void 0,contents:i}}function Nb(r){return r.includes("/")?r:`models/${r}`}var D…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.jsView on unpkg · L1
2var SS=Object.create;var fd=Object.defineProperty;var TS=Object.getOwnPropertyDescriptor;var xS=Object.getOwnPropertyNames;var IS=Object.getPrototypeOf,kS=Object.prototype.hasOwnPr... L3: ${t.message}`),n?new L0.VercelOidcTokenError(n):t}return r}function hc(){let r=(0,D0.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!r)throw new E... L4: `))}async uploadScreenshot(e,t){let n=cr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:t}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics...
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L2
1#!/usr/bin/env node L2: var SS=Object.create;var fd=Object.defineProperty;var TS=Object.getOwnPropertyDescriptor;var xS=Object.getOwnPropertyNames;var IS=Object.getPrototypeOf,kS=Object.prototype.hasOwnPr... L3: ${t.message}`),n?new L0.VercelOidcTokenError(n):t}return r}function hc(){let r=(0,D0.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!r)throw new E... L4: `))}async uploadScreenshot(e,t){let n=cr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:t}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L1
1612${JSON.stringify({status:S,error:T,summary:`${f?"Interrupted":v?"Timed out":"Failed"} after ${Math.round(d/1e3)}s: ${T}`,partialFindings:w,duration_ms:d,...h?.blockKind?{blockKind:... L1613: [/CHILD_RESULT]`;this.injectChildResult(e,P)}finally{c&&clearTimeout(c),l&&this.activeChildren.delete(l);let u=`${this.sessionId}:${e}`;this.deps.computerUseService?.clearCredentia... L1614: ... L1616: L1617: `})}return{systemInstruction:o.length>0&&!l?{parts:o}:void 0,contents:i}}function Nb(r){return r.includes("/")?r:`models/${r}`}var Db=ee(()=>X(st.object({responseModalities:st.arra... L1618: ${r.stack??""}`;if(typeof r=="string")return r;try{return JSON.stringify(r)}catch{return String(r)}}function a_(r){return lr(i_(r))}function wL(r,e){let{provider:t}=Cl(r);return t=... L1619: `)}function bt(r,e){process.stdout.write(JSON.stringify({ok:!1,schemaVersion:b_,error:{code:r,message:e}})+` L1620: `)}import{createServer as j$}from"node:net";import{createRequire as F$}from"node:module";import{appendFileSync as q$}from"node:fs";import{inspect as B$}from"node:util";import qu fr... L1621: `,"utf8")}catch{}}async flush(){}destroy(){}};var Va=class{store=new Map;async get(e){return this.stor
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1612
1#!/usr/bin/env node L2: var SS=Object.create;var fd=Object.defineProperty;var TS=Object.getOwnPropertyDescriptor;var xS=Object.getOwnPropertyNames;var IS=Object.getPrototypeOf,kS=Object.prototype.hasOwnPr... L3: ${t.message}`),n?new L0.VercelOidcTokenError(n):t}return r}function hc(){let r=(0,D0.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!r)throw new E... L4: `))}async uploadScreenshot(e,t){let n=cr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:t}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics... ... L231: Current URL: ${g.url}`)+` L232: OS: ${p}${v}`),{env:g,contextText:S}}var _d=["google.com","youtube.com","claude.ai","chatgpt.com","openai.com","gemini.google.com","bing.com","duckduckgo.com","wikipedia.org","face... L233: - After submitting the signup form, call check_email, click the verification link (or read the verification code and submit it), and confirm verified state before completing. ... L1616: L1617: `})}return{systemInstruction:o.length>0&&!l?{parts:o}:void 0,contents:i}}function Nb(r){return r.includes("/")?r:`models/${r}`}var Db=ee(()=>X(st.object({responseModalities:st.arra... L1
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: var SS=Object.create;var fd=Object.defineProperty;var TS=Object.getOwnPropertyDescriptor;var xS=Object.getOwnPropertyNames;var IS=Object.getPrototypeOf,kS=Object.prototype.hasOwnPr... L3: ${t.message}`),n?new L0.VercelOidcTokenError(n):t}return r}function hc(){let r=(0,D0.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!r)throw new E... L4: `))}async uploadScreenshot(e,t){let n=cr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:t}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics... ... L366: L367: This is a client-side timeout. To resolve this, increase your timeout configuration: https://vercel.com/docs/ai-gateway/capabilities/video-generation#extending-timeouts-for-node.js... L368:
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/cli.jsView on unpkg · L1

Findings

2 Critical6 High5 Medium5 Low
CriticalCredential Exfiltrationdist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighRemote Agent Bridgedist/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License