registry  /  ai-agent-playbook  /  0.5.5

ai-agent-playbook@0.5.5

Reusable AI agent skills, project playbook templates, and a small operator-controlled runtime harness.

Static Scan Results

scanned 6h ago · by rust-scanner

Static analysis flagged 9 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 76 file(s), 1.46 MB of source, external domains: 127.0.0.1.invalid, api.github.com, api.github.invalid

Source & flagged code

3 flagged · loading source
src/automation/executors.mjsView file
1import { execFile, spawn } from 'node:child_process'; L2: import { copyFile, mkdir, mkdtemp, readFile, rm } from 'node:fs/promises'; ... L19: const which = options.which ?? findExecutable; L20: const env = options.env ?? process.env; L21: const paths = { ... L120: env.GIT_CONFIG_NOSYSTEM = '1'; L121: env.GIT_CONFIG_SYSTEM = process.platform === 'win32' ? 'NUL' : '/dev/null'; L122: env.GIT_CONFIG_GLOBAL = process.platform === 'win32' ? 'NUL' : '/dev/null'; ... L126: env.GIT_CONFIG_KEY_1 = `remote.${safeGitRemote(options.remote)}.pushurl`; L127: env.GIT_CONFIG_VALUE_1 = 'https://127.0.0.1.invalid/aapb-worker-push-disabled'; L128: return env; ... L149: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/automation/executors.mjsView on unpkg · L1
engines/python/ai_agent_playbook_engine/__init__.pyView file
path = engines/python/ai_agent_playbook_engine/__init__.py kind = build_helper sizeBytes = 90 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

engines/python/ai_agent_playbook_engine/__init__.pyView on unpkg
src/automation/doctor.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = ai-agent-playbook@0.5.4 matchedIdentity = npm:YWktYWdlbnQtcGxheWJvb2s:0.5.4 similarity = 0.838 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/automation/doctor.mjsView on unpkg

Findings

2 High3 Medium4 Low
HighSandbox Evasion Gated Capabilitysrc/automation/executors.mjs
HighPrevious Version Dangerous Deltasrc/automation/doctor.mjs
MediumEnvironment Vars
MediumShips Build Helperengines/python/ai_agent_playbook_engine/__init__.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings