Is @jlongo78/agent-spaces safe to install?

@jlongo78/agent-spaces was flagged as CRITICAL RISK (risk score 16036) with 1523 findings detected across 1579 files. Review the findings before installing.

What security issues were found in @jlongo78/agent-spaces?

Sigil detected 1523 findings in @jlongo78/agent-spaces, including patterns related to code_patterns, credentials, network_exfil, obfuscation, install_hooks. See the full scan report for details.

@jlongo78/agent-spaces Security Scan — CRITICAL RISK | Sigil

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/.next/standalone/.next/server/chunks/ssr/node_modules_xterm_lib_xterm_2d364f66.js:3


WARNING: This link could potentially be dangerous`)){let a=window.open();if(a){try{a.opener=null}catch(a){}a.location.href=b}else console.warn("Opening link blocked as opener could not be cleared")}}(0,b),hover:(a,b)=>{var d;return null==(d=null==g?void 0:g.hover)?void 0:d.call(g,a,b,c)},leave:(a,b)=>{var d;return null==(d=null==g?void 0:g.leave)?void 0:d.call(g,a,b,c)}})}l=!1,h.hasExtendedAttrs()&&h.extended.urlId?(k=b,j=h.extended.urlId):(k=-1,j=-1)}}b(e)}};b.OscLinkProvider=d([e(0,g.IBufferS

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/.next/standalone/.next/static/chunks/2ad22562bb37ecad.js:598

	precision ${e.precision} usampler2DArray;
	`;return"highp"===e.precision?t+="\n#define HIGH_PRECISION":"mediump"===e.precision?t+="\n#define MEDIUM_PRECISION":"lowp"===e.precision&&(t+="\n#define LOW_PRECISION"),t}function hb(e,t,i,n){let r,a,s,o,l,c,h=e.getContext(),u=i.defines,d=i.vertexShader,p=i.fragmentShader,f=(l="SHADOWMAP_TYPE_BASIC",1===i.shadowMapType?l="SHADOWMAP_TYPE_PCF":2===i.shadowMapType?l="SHADOWMAP_TYPE_PCF_SOFT":3===i.shadowMapType&&(l="SHADOWMAP_TYPE_VSM"),l),m=function(e){l

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/.next/standalone/.next/static/chunks/2ad22562bb37ecad.js:622


}`;class h${constructor(){this.texture=null,this.mesh=null,this.depthNear=0,this.depthFar=0}init(e,t,i){if(null===this.texture){let n=new sI;e.properties.get(n).__webglTexture=t.texture,(t.depthNear!=i.depthNear||t.depthFar!=i.depthFar)&&(this.depthNear=t.depthNear,this.depthFar=t.depthFar),this.texture=n}}getMesh(e){if(null!==this.texture&&null===this.mesh){let t=e.cameras[0].viewport,i=new lE({vertexShader:hK,fragmentShader:hZ,uniforms:{depthColor:{value:this.texture},depthWidth:{value:t.z},d

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/.next/standalone/.next/static/chunks/2ad22562bb37ecad.js:824

	precision ${e.precision} usampler2DArray;
	`;return"highp"===e.precision?t+="\n#define HIGH_PRECISION":"mediump"===e.precision?t+="\n#define MEDIUM_PRECISION":"lowp"===e.precision&&(t+="\n#define LOW_PRECISION"),t}function _c(e,t,i,n){let r,a,s,o,l,c,h=e.getContext(),u=i.defines,d=i.vertexShader,p=i.fragmentShader,f=(l="SHADOWMAP_TYPE_BASIC",1===i.shadowMapType?l="SHADOWMAP_TYPE_PCF":2===i.shadowMapType?l="SHADOWMAP_TYPE_PCF_SOFT":3===i.shadowMapType&&(l="SHADOWMAP_TYPE_VSM"),l),m=function(e){l

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/.next/standalone/.next/static/chunks/2ad22562bb37ecad.js:848


}`;class _F{constructor(){this.texture=null,this.mesh=null,this.depthNear=0,this.depthFar=0}init(e,t,i){if(null===this.texture){let n=new fv;e.properties.get(n).__webglTexture=t.texture,(t.depthNear!=i.depthNear||t.depthFar!=i.depthFar)&&(this.depthNear=t.depthNear,this.depthFar=t.depthFar),this.texture=n}}getMesh(e){if(null!==this.texture&&null===this.mesh){let t=e.cameras[0].viewport,i=new gh({vertexShader:_U,fragmentShader:_O,uniforms:{depthColor:{value:this.texture},depthWidth:{value:t.z},d

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/.next/standalone/.next/static/chunks/e23f20b51a75a5bb.js:358

	return dot( weights, rgb );
}`),n.useDepthPacking?"#define DEPTH_PACKING "+n.depthPacking:"","\n"].filter(tu).join("\n")}f=td(f=tc(f=tp(f),n),n),p=td(p=tc(p=tp(p),n),n),f=tv(f),p=tv(p),!0!==n.isRawShaderMaterial&&(T="#version 300 es\n",o=[S,"#define attribute in\n#define varying out\n#define texture2D texture"].join("\n")+"\n"+o,l=["#define varying in",n.glslVersion===M.GLSL3?"":"layout(location = 0) out highp vec4 pc_fragColor;",n.glslVersion===M.GLSL3?"":"#define gl_FragColor pc_fragColor","#

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/.next/standalone/.next/static/chunks/e23f20b51a75a5bb.js:382


}`;class tQ{constructor(){this.texture=null,this.mesh=null,this.depthNear=0,this.depthFar=0}init(e,t){if(null===this.texture){let n=new M.ExternalTexture(e.texture);(e.depthNear!==t.depthNear||e.depthFar!==t.depthFar)&&(this.depthNear=e.depthNear,this.depthFar=e.depthFar),this.texture=n}}getMesh(e){if(null!==this.texture&&null===this.mesh){let t=e.cameras[0].viewport,n=new M.ShaderMaterial({vertexShader:tY,fragmentShader:t$,uniforms:{depthColor:{value:this.texture},depthWidth:{value:t.z},depthH

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/.next/standalone/.next/static/chunks/e40d2bd3b4ce8192.js:3


WARNING: This link could potentially be dangerous`)){let e=window.open();if(e){try{e.opener=null}catch(e){}e.location.href=t}else console.warn("Opening link blocked as opener could not be cleared")}}(0,t),hover:(e,t)=>{var s;return null==(s=null==o?void 0:o.hover)?void 0:s.call(o,e,t,i)},leave:(e,t)=>{var s;return null==(s=null==o?void 0:o.leave)?void 0:s.call(o,e,t,i)}})}d=!1,a.hasExtendedAttrs()&&a.extended.urlId?(c=t,l=a.extended.urlId):(c=-1,l=-1)}}t(r)}};t.OscLinkProvider=s([r(0,o.IBufferS

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

package/bin/lib/auto-setup.js:27


function autoSetup({ SPACES_DIR, SESSION_SECRET_PATH, ADMIN_DB_PATH, CONFIG_PATH, tier, port, basePath }) {
  // Ensure ~/.spaces directory

Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

@jlongo78/agent-spaces

Summary

Provenance

Findings by Phase

Install Hooks

Code Patterns

Obfuscation

Network / Exfiltration

Credentials

Badge

Scan your own packages

Get threat intelligence and product updates

Other npm scans