registry  /  create-agentic-qa  /  1.1.0

create-agentic-qa@1.1.0

Official scaffolder for the Agentic QA ecosystem — bootstraps a project from agentic-qa-boilerplate and runs its interactive installer.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 153 KB of source, external domains: api.github.com, bun.com, bun.sh, cli.github.com, codeload.github.com, developer.atlassian.com, git-scm.com, github.com, jqlang.org, nodejs.org, playwright.dev, resend.com

Source & flagged code

5 flagged · loading source
dist/cli.jsView file
106`),process.stdout.write(` L107: `)}import{existsSync as Vu,readdirSync as JC,readFileSync as A3}from"node:fs";import{join as KF}from"node:path";function GF(D,u){let F=KF(D,".template","installer.lock.json");if(!V... L108: `);let H=D.filter((U)=>U.required&&U.status==="fail"),T=H.length===0;if(T)process.stdout.write(YF.default.green(`${I3.tick??"✔"} All system prerequisites OK
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L106
139`);s();let E=await aD({message:"Want to see the full skill list for a category?",options:[{value:"back",label:"Back to menu"},{value:"gentle",label:`Expand gentle-ai skills (${u.ge... L140: `);s(),await fF()}var Y3=a(ZD(),1);import{spawnSync as VF}from"node:child_process";import{existsSync as nD}from"node:fs";import{readFile as J3,rm as M3,writeFile as Z3}from"node:fs... L141: `,"utf8"),j.dim(` Wrote package.json (name=${u}, version=0.1.0).`)}async function G3(D,u){let F=iD(D,".agents","project.yaml");if(!nD(F)){j.warn(" .agents/project.yaml not found ... ... L144: git config --global user.name "Your Name"`);j.dim(" git init + initial commit done.")}var vC=["packages",".github/workflows/pages.yml",".github/workflows/pages-squash.yml",".conte... L145: `),JF(Y3.default.bgCyan(" AGENTIC QA "));let D=await aD({message:"What would you like to do?",options:[{value:"scaffold",label:"Create a new project"},{value:"doctor",label:"Check ... L146: `),0;if(!D.noBanner)process.stdout.write(`${F3()}
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L139
91bunx create-agentic-qa --here # use current directory`);return u}function OF(D,u,F){let E=D[u];if(!E||E.startsWith("--"))throw new $("USAGE",`Flag ${F} requires a value.`)... L92: `),process.stdout.write(`scaffolder for the Agentic QA ecosystem L93: ... L106: `),process.stdout.write(` L107: `)}import{existsSync as Vu,readdirSync as JC,readFileSync as A3}from"node:fs";import{join as KF}from"node:path";function GF(D,u){let F=KF(D,".template","installer.lock.json");if(!V... L108: `);let H=D.filter((U)=>U.required&&U.status==="fail"),T=H.length===0;if(T)process.stdout.write(YF.default.green(`${I3.tick??"✔"} All system prerequisites OK
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L91
1#!/usr/bin/env node L2: import{createRequire as w3}from"node:module";var W3=Object.create;var{getPrototypeOf:v3,defineProperty:_F,getOwnPropertyNames:P3}=Object;var x3=Object.prototype.hasOwnProperty;func... L3: `,C=u.pad||" ",B=F!=="right"?_E:zE,A=!1;if(!Array.isArray(D))A=!0,D=String(D).split(E);let I,H=0;return D=D.map(function(T){return T=String(T),I=NE(T),H=Math.max(I,H),{str:T,width:... L4: `).reduce(function(C,B){return w0(B)>C?w0(B):C},0)}function hD(D,u){return Array(u+1).join(D)}function oE(D,u,F,E){let C=ED(D);if(u+1>=C){let B=u-C;switch(E){case"right":{D=hD(F,B)... L5: `);let C=F?B8:A8;for(let B=0;B<u.length;B++)E.push.apply(E,C(D,u[B]));return E}function H8(D){let u={},F=[];for(let E=0;E<D.length;E++){let C=tE(u,D[E]);u=eE(C);let B=Object.assign... L6: `)!=-1,E=this._styles,C=E.length;while(C--){var B=GD[E[C]];if(u=B.open+u.replace(B.closeRe,B.open)+B.close,F)u=u.replace(J8,function(A){return B.close+A+B.open})}return u}Q.setThem... L7: `))}wrapLines(D){let u=n.colorizeLines(D);if(this.href)return u.map((F)=>n.hyperlink(this.href,F));return u}init(D){let u=this.x,F=this.y;this.widths=D.colWidths.slice(u,u+this.col... L8: `)}get width(){return this.toString().split(
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L1
5`);let C=F?B8:A8;for(let B=0;B<u.length;B++)E.push.apply(E,C(D,u[B]));return E}function H8(D){let u={},F=[];for(let E=0;E<D.length;E++){let C=tE(u,D[E]);u=eE(C);let B=Object.assign... L6: `)!=-1,E=this._styles,C=E.length;while(C--){var B=GD[E[C]];if(u=B.open+u.replace(B.closeRe,B.open)+B.close,F)u=u.replace(J8,function(A){return B.close+A+B.open})}return u}Q.setThem... L7: `))}wrapLines(D){let u=n.colorizeLines(D);if(this.href)return u.map((F)=>n.hyperlink(this.href,F));return u}init(D){let u=this.x,F=this.y;this.widths=D.colWidths.slice(u,u+this.col...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L5

Findings

4 High4 Medium4 Low
HighChild Processdist/cli.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings