registry  /  allagents  /  1.13.1

allagents@1.13.1

CLI tool for managing multi-repo AI agent workspaces with plugin synchronization

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 1 file(s), 1.97 MB of source, external domains: 127.0.0.1, allagents.dev, api.example.com, api.github.com, bitbucket.org, dev.azure.com, github.com, gitlab.com, json-schema.org, mcp.deepwiki.com, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

2 flagged · loading source
dist/index.jsView file
310if ("CI" in env) { L311: if (["GITHUB_ACTIONS", "GITEA_ACTIONS", "CIRCLECI"].some((key) => (key in env))) { L312: return 3; ... L371: supportsColor = { L372: stdout: createSupportsColor({ isTTY: tty.isatty(1) }), L373: stderr: createSupportsColor({ isTTY: tty.isatty(2) }) ... L952: if (config.env) { L953: const env2 = process.env[config.env] === undefined ? "" : `=${chalk_1.default.italic(process.env[config.env])}`; L954: defaults.push(`env: ${config.env}${env2}`); ... L2219: for (let i = 0;i < namespace.length; i++) { L2220: hash = (hash << 5) - hash + namespace.charCodeAt(i); L2221: hash |= 0;
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.jsView on unpkg · L310
25901if (ast.body[0].expression.body.type === "BlockStatement") { L25902: return new Function(params, source.slice(body[0] + 1, body[1] - 1)); L25903: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L25901

Findings

1 High4 Medium6 Low
HighObfuscated Payload Loaderdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings