registry  /  tester-h  /  0.5.0

tester-h@0.5.0

tester-h — run an H QA agent against your web app from the command line.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 88 file(s), 765 KB of source, external domains: agp.eu.hcompany.ai, agp.hcompany.ai, api.hcompany.ai, app.example.com, example.com, id.atlassian.com, nodejs.org, portal.eu.hcompany.ai, portal.hcompany.ai, probe.invalid, registry.npmjs.org, staging.example.com, xray.cloud.getxray.app, your.atlassian.net

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/visualize/project.jsView file
32screenshots_dir: z.string().optional(), L33: stdout: z.string().optional(), L34: }) ... L51: if (input === '~') { L52: return homedir(); L53: } ... L147: try { L148: const raw = TrajectoryFileSchema.parse(JSON.parse(await readFile(file, 'utf-8'))); L149: const fileBase = basename(file, '.json');
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/visualize/project.jsView on unpkg · L32
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = tester-h@0.4.0 matchedIdentity = npm:dGVzdGVyLWg:0.4.0 similarity = 0.929 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

2 High4 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltadist/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/visualize/project.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License