registry  /  agentiqa  /  1.1.24

agentiqa@1.1.24

⚠ Under review

AI-powered testing for web and mobile apps

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
Manifest
NoLicense
scanned 2 file(s), 1.29 MB of source, external domains: agentiqa.com, ai-gateway.vercel.sh, ai-sdk.dev, api.openai.com, api.vercel.com, deb.nodesource.com, example.com, generativelanguage.googleapis.com, github.com, google.aip.dev, json-schema.org, raw.githubusercontent.com, vercel.com, your-app.com

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.preinstall = node scripts/preinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.preinstall = node scripts/preinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
scripts.postinstall = npx playwright install chromium 2>/dev/null || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/cli.jsView file
1#!/usr/bin/env node L2: var kk=Object.create;var Um=Object.defineProperty;var Ek=Object.getOwnPropertyDescriptor;var Ak=Object.getOwnPropertyNames;var Rk=Object.getPrototypeOf,Ck=Object.prototype.hasOwnPr... L3: ${r.message}`),n?new XC.VercelOidcTokenError(n):r}return t}function Zu(){let t=(0,JC.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!t)throw new E... L4: `)}}}import{spawn as yH}from"node:child_process";import{mkdirSync as vH,writeFileSync as bH,existsSync as _H,statSync as wH}from"node:fs";import{tmpdir as SH}from"node:os";import L... L5: `))}async uploadScreenshot(e,r){let n=Zr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:r}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics... ... L232: Current URL: ${y.url}`)+` L233: OS: ${p}${w}`),{env:y,contextText:x}}var Hm=["google.com","youtube.com","claude.ai","chatgpt.com","openai.com","gemini.google.com","bing.com","duckduckgo.com","wikipedia.org","face... L234: - After submitting the signup form, call check_email, click the verification link (or read the verification code and submit it), and confirm verified state before completing. ... L1769: `+r.jo
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/cli.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/cli.js L1: #!/usr/bin/env node L2: var kk=Object.create;var Um=Object.defineProperty;var Ek=Object.getOwnPropertyDescriptor;var Ak=Object.getOwnPropertyNames;var Rk=Object.getPrototypeOf,Ck=Object.prototype.hasOwnPr... L3: ${r.message}`),n?new XC.VercelOidcTokenError(n):r}return t}function Zu(){let t=(0,JC.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!t)throw new E... L4: `)}}}import{spawn as yH}from"node:child_process";import{mkdirSync as vH,writeFileSync as bH,existsSync as _H,statSync as wH}from"node:fs";import{tmpdir as SH}from"node:os";import L... L5: `))}async uploadScreenshot(e,r){let n=Zr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:r}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics... ... L232: Current URL: ${y.url}`)+` L233: OS: ${p}${w}`),{env:y,contextText:x}}var Hm=["google.com","youtube.com","claude.ai","chatgpt.com","openai.com","gemini.google.com","bing.com","duckduckgo.com","wikipedia.org","face... L234: - After submitting the signup form, call check_email, click the verification link (or read the verification code and submit it), and confi…
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.jsView on unpkg · L1
3${r.message}`),n?new XC.VercelOidcTokenError(n):r}return t}function Zu(){let t=(0,JC.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!t)throw new E... L4: `)}}}import{spawn as yH}from"node:child_process";import{mkdirSync as vH,writeFileSync as bH,existsSync as _H,statSync as wH}from"node:fs";import{tmpdir as SH}from"node:os";import L... L5: `))}async uploadScreenshot(e,r){let n=Zr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:r}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics...
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L3
1#!/usr/bin/env node L2: var kk=Object.create;var Um=Object.defineProperty;var Ek=Object.getOwnPropertyDescriptor;var Ak=Object.getOwnPropertyNames;var Rk=Object.getPrototypeOf,Ck=Object.prototype.hasOwnPr... L3: ${r.message}`),n?new XC.VercelOidcTokenError(n):r}return t}function Zu(){let t=(0,JC.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!t)throw new E... L4: `)}}}import{spawn as yH}from"node:child_process";import{mkdirSync as vH,writeFileSync as bH,existsSync as _H,statSync as wH}from"node:fs";import{tmpdir as SH}from"node:os";import L... L5: `))}async uploadScreenshot(e,r){let n=Zr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:r}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: var kk=Object.create;var Um=Object.defineProperty;var Ek=Object.getOwnPropertyDescriptor;var Ak=Object.getOwnPropertyNames;var Rk=Object.getPrototypeOf,Ck=Object.prototype.hasOwnPr... L3: ${r.message}`),n?new XC.VercelOidcTokenError(n):r}return t}function Zu(){let t=(0,JC.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!t)throw new E... L4: `)}}}import{spawn as yH}from"node:child_process";import{mkdirSync as vH,writeFileSync as bH,existsSync as _H,statSync as wH}from"node:fs";import{tmpdir as SH}from"node:os";import L... L5: `))}async uploadScreenshot(e,r){let n=Zr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:r}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: var kk=Object.create;var Um=Object.defineProperty;var Ek=Object.getOwnPropertyDescriptor;var Ak=Object.getOwnPropertyNames;var Rk=Object.getPrototypeOf,Ck=Object.prototype.hasOwnPr... L3: ${r.message}`),n?new XC.VercelOidcTokenError(n):r}return t}function Zu(){let t=(0,JC.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!t)throw new E... L4: `)}}}import{spawn as yH}from"node:child_process";import{mkdirSync as vH,writeFileSync as bH,existsSync as _H,statSync as wH}from"node:fs";import{tmpdir as SH}from"node:os";import L... L5: `))}async uploadScreenshot(e,r){let n=Zr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:r}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics... ... L232: Current URL: ${y.url}`)+` L233: OS: ${p}${w}`),{env:y,contextText:x}}var Hm=["google.com","youtube.com","claude.ai","chatgpt.com","openai.com","gemini.google.com","bing.com","duckduckgo.com","wikipedia.org","face... L234: - After submitting the signup form, call check_email, click the verification link (or read the verification code and submit it), and confirm verified state before completing. ... L1769: `+r.jo
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: var kk=Object.create;var Um=Object.defineProperty;var Ek=Object.getOwnPropertyDescriptor;var Ak=Object.getOwnPropertyNames;var Rk=Object.getPrototypeOf,Ck=Object.prototype.hasOwnPr... L3: ${r.message}`),n?new XC.VercelOidcTokenError(n):r}return t}function Zu(){let t=(0,JC.getContext)().headers?.["x-vercel-oidc-token"]??process.env.VERCEL_OIDC_TOKEN;if(!t)throw new E... L4: `)}}}import{spawn as yH}from"node:child_process";import{mkdirSync as vH,writeFileSync as bH,existsSync as _H,statSync as wH}from"node:fs";import{tmpdir as SH}from"node:os";import L... L5: `))}async uploadScreenshot(e,r){let n=Zr("img"),s=this.sessions.get(e)??null,o=JSON.stringify({sessionId:e,eventId:n,imageBase64:r}),i=a=>this.fetchFn(`${this.apiUrl}/api/analytics... ... L367: L368: This is a client-side timeout. To resolve this, increase your timeout configuration: https://vercel.com/docs/ai-gateway/capabilities/video-generation#extending-timeouts-for-node.js... L369:
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/cli.jsView on unpkg · L1

Findings

2 Critical6 High5 Medium6 Low
CriticalCredential Exfiltrationdist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/cli.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighRemote Agent Bridgedist/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License