agent-coderag@1.2.1

Lightweight semantic code search and distillation utility for AI coding agents. It solves the API knowledge gap via real-time local signature extraction and intent analysis without PyTorch. Optimized for token efficiency, it compresses codebase context into compact semantic summaries stored in a local DuckDB vector similarity index.

  • latest version

    1.3.1

  • latest non vulnerable version

  • first published

    2 months ago

  • latest version published

    16 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the agent-coderag package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Command Injection

    agent-coderag is a Lightweight semantic code search and distillation utility for AI coding agents. It solves the API knowledge gap via real-time local signature extraction and intent analysis without PyTorch. Optimized for token efficiency, it compresses codebase context into compact semantic summaries stored in a local DuckDB vector similarity index.

    Affected versions of this package are vulnerable to Command Injection in the sync process. An attacker can execute arbitrary code with the victim's operating system privileges by inducing the victim to run the tool against a directory containing a malicious gradlew script. This is possible because the process unconditionally executes a repository-controlled script without validating its content or integrity, allowing compromise of confidentiality, integrity, and availability.

    How to fix Command Injection?

    Upgrade agent-coderag to version 1.3.1 or higher.

    [,1.3.1)