agentaudit 3.9.5 → 3.9.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.mjs +23 -2
- package/package.json +1 -1
package/index.mjs
CHANGED
|
@@ -551,19 +551,40 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
|
|
|
551
551
|
});
|
|
552
552
|
|
|
553
553
|
if (res.status === 404) {
|
|
554
|
-
return { content: [{ type: 'text', text:
|
|
554
|
+
return { content: [{ type: 'text', text: `⚠️ Package "${package_name}" is NOT in the AgentAudit security registry — it has never been audited.\n\nIMPORTANT: Tell the user that this package has no security audit on record and that installing unaudited packages carries risk. Recommend running a security audit first before installing.\n\nTo run an audit now:\n1. Find the source URL (GitHub repo) for "${package_name}"\n2. Call audit_package with that URL\n3. Analyze the code following the methodology\n4. Call submit_report with your findings\n\nIf the user wants to skip the audit and install anyway, warn them that the package is unvetted.` }] };
|
|
555
555
|
}
|
|
556
556
|
|
|
557
557
|
const data = await res.json();
|
|
558
558
|
const risk = data.risk_score ?? data.latest_risk_score ?? 'unknown';
|
|
559
559
|
const official = data.has_official_audit ? '✅ Officially audited' : 'Community audit';
|
|
560
|
+
const findings = data.total_findings ?? 0;
|
|
561
|
+
const maxSev = data.latest_max_severity;
|
|
562
|
+
const auditedAt = data.last_audited_at ? new Date(data.last_audited_at).toLocaleDateString('en-US', { year: 'numeric', month: 'short', day: 'numeric' }) : 'unknown';
|
|
563
|
+
const version = data.latest_known_version || null;
|
|
564
|
+
const isOutdated = data.is_outdated;
|
|
560
565
|
|
|
561
566
|
let summary = `# ${package_name}\n\n`;
|
|
562
567
|
summary += `**Risk Score:** ${risk}/100\n`;
|
|
563
568
|
summary += `**Status:** ${official}\n`;
|
|
569
|
+
summary += `**Findings:** ${findings}${maxSev ? ` (max severity: ${maxSev})` : ''}\n`;
|
|
570
|
+
summary += `**Last Audited:** ${auditedAt}\n`;
|
|
571
|
+
if (version) summary += `**Audited Version:** ${version}\n`;
|
|
572
|
+
if (isOutdated) summary += `**⚠️ OUTDATED:** The package has been updated since the last audit!\n`;
|
|
564
573
|
if (data.source_url) summary += `**Source:** ${data.source_url}\n`;
|
|
565
574
|
summary += `**Registry:** ${REGISTRY_URL}/skills/${package_name}\n\n`;
|
|
566
|
-
|
|
575
|
+
|
|
576
|
+
// Agent instructions based on risk level
|
|
577
|
+
if (typeof risk === 'number' && risk >= 40) {
|
|
578
|
+
summary += `\n🚨 HIGH RISK (${risk}/100): IMPORTANT — Tell the user this package has significant security findings and may be UNSAFE to install. Recommend reviewing the findings at ${REGISTRY_URL}/skills/${package_name} before proceeding. If the user still wants to install, strongly warn about the risks.\n`;
|
|
579
|
+
} else if (typeof risk === 'number' && risk >= 20) {
|
|
580
|
+
summary += `\n⚠️ MODERATE RISK (${risk}/100): Inform the user that this package has some security findings. Recommend reviewing them at ${REGISTRY_URL}/skills/${package_name} before installing.\n`;
|
|
581
|
+
} else if (typeof risk === 'number') {
|
|
582
|
+
summary += `\n✅ LOW RISK (${risk}/100): This package appears safe based on its security audit. The user can proceed with installation.\n`;
|
|
583
|
+
}
|
|
584
|
+
|
|
585
|
+
if (isOutdated) {
|
|
586
|
+
summary += `\n⚠️ NOTE: The audit may be outdated — the package has changed since it was last reviewed. Consider running a fresh audit with audit_package.\n`;
|
|
587
|
+
}
|
|
567
588
|
|
|
568
589
|
return { content: [{ type: 'text', text: summary }] };
|
|
569
590
|
} catch (err) {
|