AgentPM™

Vulnerability Scanning#

Automated malware/threat screening for published tool versions.

Overview#

After each publish, AgentPM runs asynchronous scans on the uploaded artifact. Results surface on the tool page and influence install/search behavior (e.g., yanked versions cannot be installed).

What happens after publish#

  1. Scan queued. Newly published artifacts are sent to our scanner (GuardDuty-backed).
  2. Result recorded & shown on registry. Each version displays its latest scan outcome.
  3. Automatic protection. If a threat is detected, the version is Yanked:
    • Cannot be installed (install will fail).
    • Still visible on the website with a Yanked badge (for audit/traceability). Omitted from search results.

Scan outcome → status mapping#

Scanner code → (malware status, scan status):

  • NO_THREATS_FOUND(clean, complete)
  • THREATS_FOUND(infected, complete) → version is Yanked
  • UNSUPPORTED(unknown, failed) (format/limits prevented scanning)
  • ACCESS_DENIED(unknown, failed)
  • FAILED(unknown, failed) (scanner error)
  • SCAN_IN_PROGRESS(unknown, running)

Additional publish-time hardening#

Beyond malware scanning, we perform structural and safety checks both in the CLI (pre-upload) and again on the server (publish finalize):

  • Artifact size cap: reject if > 3 GB.
  • Valid gzip-tar: quick magic-byte check.
  • Tar entry limits: reject if > 15,000 members.
  • Embedded archive blocklist: reject if any member ends in .zip, .whl, .7z, .rar, .tar, .tgz, .tar.gz.
  • Path safety: reject absolute paths or parent traversals (e.g., /…, ../…).

These checks help prevent risky bundles, nested archives, and tarbomb-style issues from ever landing in the registry.

Developer impact#

  • Clean versions install normally and appear in search/trending.
  • Yanked versions remain browsable (for history/diagnosis) but are not installable and are hidden from discovery surfaces.
  • If your upload is rejected at publish time, the CLI/server response will include a clear reason (“too large”, “embedded archive detected”, “unsafe path”, etc.).

Best practices#

  • Keep artifacts lean; package only what your entrypoint needs.
  • Avoid bundling archives within archives.
  • Validate locally with agentpm publish --dry-run and keep CLI up to date to benefit from the latest checks.
  • If a version is yanked, publish a fixed version with a clear changelog note.
Publish a toolSigning
SDKsNode SDK