registry  /  jungle-agents  /  0.1.0

jungle-agents@0.1.0

Run Jungle agents on your own machine: `jungle-agents connect` registers this device and runs the agents you assign to it from the Jungle web app.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 129 KB of source, external domains: api.jungleagents.com, gmail.googleapis.com, www.googleapis.com

Source & flagged code

3 flagged · loading source
dist/git.jsView file
6import { promises as fs } from "node:fs"; L7: import { spawn } from "node:child_process"; L8: import os from "node:os";
High
Child Process

Package source references child process execution.

dist/git.jsView on unpkg · L6
dist/cli.jsView file
9import os from "node:os"; L10: import { spawnSync } from "node:child_process"; L11: import { Daemon } from "./daemon.js"; L12: import { loadConfig, saveConfig, clearConfig, RUNNER_VERSION, } from "./config.js"; L13: const DEFAULT_BACKEND = process.env.JUNGLE_BACKEND ?? "https://api.jungleagents.com"; L14: function parseFlags(argv) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L9
9import os from "node:os"; L10: import { spawnSync } from "node:child_process"; L11: import { Daemon } from "./daemon.js"; L12: import { loadConfig, saveConfig, clearConfig, RUNNER_VERSION, } from "./config.js"; L13: const DEFAULT_BACKEND = process.env.JUNGLE_BACKEND ?? "https://api.jungleagents.com"; L14: function parseFlags(argv) { ... L38: function openBrowser(url) { L39: const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open"; L40: try { ... L48: const backend = (flags.backend ?? DEFAULT_BACKEND).replace(/\/$/, ""); L49: const name = flags.name ?? os.hostname(); L50: const existing = await loadConfig();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L9

Findings

4 High3 Medium5 Low
HighChild Processdist/git.js
HighShell
HighSame File Env Network Executiondist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings