registry  /  jeeves-agent  /  1.4.1

jeeves-agent@1.4.1

⚠ Under review

Jeeves Agent — 多Agent AI 管家。基于 Flue (Pi) + Tavily + Playwright MCP,一条命令部署

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 45.2 KB of source, external domains: api.tavily.com, crontab.guru, platform.deepseek.com, tavily.com

Source & flagged code

6 flagged · loading source
src/app.tsView file
8import { readFileSync } from 'fs'; L9: import { spawn } from 'child_process'; L10: import { join } from 'path';
High
Child Process

Package source references child process execution.

src/app.tsView on unpkg · L8
23windowsHide: true, L24: shell: true, L25: });
High
Shell

Package source references shell execution.

src/app.tsView on unpkg · L23
20const MCP_PORT = 8931; L21: const mcpProcess = spawn('npx', ['@playwright/mcp@latest', '--port', String(MCP_PORT), '--headless'], { L22: stdio: 'ignore',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/app.tsView on unpkg · L20
src/cli/schedules.mjsView file
13function getSchedulePath() { L14: return join(homedir(), '.jeeves', 'schedules.yaml'); L15: } ... L34: # L35: # 更多: https://crontab.guru/ L36:
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

src/cli/schedules.mjsView on unpkg · L13
src/cli/server.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = jeeves-agent@1.3.3 matchedIdentity = npm:amVldmVzLWFnZW50:1.3.3 similarity = 0.867 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/cli/server.mjsView on unpkg
76if (running) { L77: console.log(`${C.green}Flue 已在线${C.reset} (http://localhost:${serverPort})`); L78: return serverPort; ... L84: return new Promise((resolve, reject) => { L85: serverProcess = spawn('npx', ['@flue/cli', 'dev'], { L86: cwd: PROJECT_DIR, ... L88: shell: true, L89: env: { ...process.env }, L90: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/cli/server.mjsView on unpkg · L76

Findings

1 Critical4 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltasrc/cli/server.mjs
HighChild Processsrc/app.ts
HighShellsrc/app.ts
HighSame File Env Network Executionsrc/cli/server.mjs
HighRuntime Package Installsrc/app.ts
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesrc/cli/schedules.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings