CapitalGuardAI-agent security licensesScan

Package supply-chain risk

Dependency Script Execution

Install scripts, postinstall hooks, and package-manager credentials can create dangerous paths when agents modify dependencies or run commands.

Severity: HighDetected by: Pro

Signals CapitalGuard looks for

Postinstall, prepare, or prepublish scripts
Package registry tokens in config files
Agent-accessible dependency update automation

Why it matters

Package scripts can run code during routine install or build steps.
Agent-suggested dependency changes can trigger scripts outside normal review attention.
Registry credentials can expose private packages or publish permissions.

Precautions to take

Require review for dependency and lifecycle-script changes.
Move package registry credentials out of the repo workspace.
Run dependency updates in isolated environments with limited secrets.

Next step

Turn this risk into a scoped scan and policy path.

Compare Licenses