registry  /  agentsmesh  /  0.30.1

agentsmesh@0.30.1

One canonical source for AI coding agent rules, commands, skills, MCP, hooks, and permissions — synced across every major AI coding tool.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 4.07 MB of source, external domains: aider.chat, ampcode.com, antigravity.google, api.github.com, aws.amazon.com, block.github.io, cline.bot, cursor.com, example.com, github.com, gitlab.com, jules.google, kilocode.ai, kiro.dev, opencode.ai, replit.com, roocode.com, samplexbro.github.io, unpkg.com, windsurf.com, www.anthropic.com, www.atlassian.com, www.augmentcode.com, www.factory.ai, www.jetbrains.com, www.trae.ai, www.warp.dev, zed.dev

Source & flagged code

6 flagged · loading source
dist/index.jsView file
10import { createHash } from 'crypto'; L11: import { execFile } from 'child_process'; L12: import { fileURLToPath, pathToFileURL, URL } from 'url';
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L10
24256init_helpers(); L24257: var SCRIPT_REFERENCE_RE = /^(?:\s*(?:bash|sh|zsh|pwsh|powershell)\s+)?["']?(?<path>(?:\.{1,2}\/|[^/\s"'`]+\/)[^\s"'`]+)["']?(?:\s|$)/; L24258: function extractScriptToken(command) {
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L24256
1414init_command_skill(); L1415: init_scoped_agents_import(); L1416: AB_SKILLS = ".agentsmesh/skills";
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1414
10import { createHash } from 'crypto'; L11: import { execFile } from 'child_process'; L12: import { fileURLToPath, pathToFileURL, URL } from 'url'; ... L146: id: z.string().regex(/^[a-z][a-z0-9-]*$/, "Target id must be lowercase with hyphens"), L147: metadata: metadataSchema, L148: generators: generatorsSchema, ... L1010: try { L1011: const parsed = JSON.parse(value); L1012: if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return null; ... L2522: NON_CONTENT_FILES = /* @__PURE__ */ new Set([ L2523: "package.json", L2524: "package-lock.json",
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L10
dist/cli.jsView file
1#!/usr/bin/env node L2: import {resolve,join,dirname,basename,sep,relative,extname,normalize,win32,posix,isAbsolute}from'path';import {rm as rm$1,readFile,readdir,stat,mkdir,writeFile,rename,realpath,lsta... L3: `);},warn(e){Wa||process.stderr.write(xp(Sc.yellow,"\u26A0 ",process.stderr)+e+` ... L10: `);}};});var os,mn,kc,Zn,Lc,tr,ss=d(()=>{os=class extends Error{static{s(this,"AgentsMeshError");}code;constructor(t,r,n){super(r,n),this.name="AgentsMeshError",this.code=t;}},mn=c... L11: `)}function T_(e){return RY.has(extname(e).toLowerCase())?493:void 0}var Ec,_Y,SY,RY,uf=d(()=>{Ec="\uFEFF",_Y=new Set([".md",".mdc",".mdx",".markdown",".txt",".json",".jsonc",".yam... L12: ${stringify(e,{lineWidth:0}).trimEnd()}
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L1
1#!/usr/bin/env node L2: import {resolve,join,dirname,basename,sep,relative,extname,normalize,win32,posix,isAbsolute}from'path';import {rm as rm$1,readFile,readdir,stat,mkdir,writeFile,rename,realpath,lsta... L3: `);},warn(e){Wa||process.stderr.write(xp(Sc.yellow,"\u26A0 ",process.stderr)+e+` ... L10: `);}};});var os,mn,kc,Zn,Lc,tr,ss=d(()=>{os=class extends Error{static{s(this,"AgentsMeshError");}code;constructor(t,r,n){super(r,n),this.name="AgentsMeshError",this.code=t;}},mn=c... L11: `)}function T_(e){return RY.has(extname(e).toLowerCase())?493:void 0}var Ec,_Y,SY,RY,uf=d(()=>{Ec="\uFEFF",_Y=new Set([".md",".mdc",".mdx",".markdown",".txt",".json",".jsonc",".yam... L12: ${stringify(e,{lineWidth:0}).trimEnd()}
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L1

Findings

4 High4 Medium5 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings