@cuylabs/agent-core
Embeddable AI agent infrastructure — execution, sessions, tools, skills, dispatch, tracing
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/instance-Bg61WSyz.d.ts | AI (source-diff): Long-line .d.ts files are normal bundled TypeScript declarations, not obfuscated code. | ai | |
| provenance | missing-githead | AI (provenance): Large version jump with CI environment change; no other malicious signals present. | ai | |
| source-diff | obfuscated-file:dist/instance-Ijh9CP-_.d.ts | AI (source-diff): tsup --dts generates bundled .d.ts files with long lines; this is normal build output, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/instance-BoAI3OfR.d.ts | AI (source-diff): Long lines in .d.ts files are normal for bundled TypeScript declarations; not obfuscation. | ai | |
| dependencies | unvetted-dep:@ai-sdk/otel | AI (dependencies): @ai-sdk/otel is part of Vercel's official AI SDK; beta versioning is expected for this package family. | ai | |
| source-diff | obfuscated-file:dist/instance-DV_xLU65.d.ts | AI (source-diff): File is a bundled TypeScript declaration (.d.ts) from tsup; long lines are normal for generated type rollups, not obfuscation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Package is an actively developed AI agent SDK; large file count growth matches the many new export paths added in package.json. | ai | |
| source-diff | obfuscated-file:dist/instance-7RluLpIT.d.ts | AI (source-diff): File is a bundled TypeScript declaration file with long lines from type definitions, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/instance-DpAn37V_.d.ts | AI (source-diff): Long lines in .d.ts files are normal for bundled TypeScript declarations; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/instance-N5VhcNT2.d.ts | AI (source-diff): tsup-generated .d.ts bundle; long lines are normal for bundled TypeScript declarations, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/instance-CP24g3Le.d.ts | AI (source-diff): File is a bundled .d.ts with readable TS declarations; long lines are from type bundling, not obfuscation. | ai | |
| phantom-deps | phantom-dep:@ai-sdk/provider | AI (phantom-deps): @ai-sdk/provider is a type/interface dependency commonly used in config/type files without direct runtime imports. | ai |
Versions (showing 36 of 36)
| Version | Deps | Published |
|---|---|---|
| 5.0.3 | 5 / 26 | |
| 5.0.0 | 5 / 26 | |
| 4.10.0 | 5 / 26 | |
| 4.9.0 | 5 / 26 | |
| 4.8.0 | 5 / 26 | |
| 4.7.1 | 5 / 26 | |
| 4.7.0 | 5 / 26 | |
| 4.5.0 | 5 / 26 | |
| 4.3.1 | 5 / 26 | |
| 4.3.0 | 5 / 26 | |
| 4.2.0 | 5 / 26 | |
| 4.1.0 | 5 / 26 | |
| 4.0.0 | 5 / 26 | |
| 3.2.1 | 5 / 26 | |
| 3.1.0 | 5 / 26 | |
| 3.0.0 | 5 / 26 | |
| 2.0.0 | 5 / 26 | |
| 1.0.0 | 5 / 26 | |
| 0.16.0 | 4 / 26 | |
| 0.15.0 | 4 / 26 | |
| 0.14.1 | 4 / 26 | |
| 0.14.0 | 4 / 26 | |
| 0.13.0 | 4 / 26 | |
| 0.12.0 | 4 / 26 | |
| 0.11.0 | 4 / 27 | |
| 0.10.0 | 4 / 27 | |
| 0.9.0 | 4 / 29 | |
| 0.8.0 | 3 / 29 | |
| 0.7.0 | 3 / 22 | |
| 0.6.0 | 3 / 22 | |
| 0.5.0 | 3 / 22 | |
| 0.4.0 | 3 / 14 | |
| 0.3.0 | 3 / 14 | |
| 0.2.0 | 3 / 14 | |
| 0.1.1 | 3 / 14 | |
| 0.1.0 | 3 / 13 |
v5.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.9.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.8.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.7.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.9.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cyb3rward0g.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cyb3rward0g.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cyb3rward0g.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cyb3rward0g.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cyb3rward0g.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cyb3rward0g.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cyb3rward0g.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: cyb3rward0g.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.