Summary
While smoke-testing public registry package runx/dependency-cve-audit@sha-e11c90bbeb16 from a clean Docker environment, runx add, runx registry read, and runx skill inspect succeeded, but the published usage path failed at runtime because the installed package does not contain the expected run.mjs entrypoint.
Environment
- Container:
node:24-bookworm
- CLI install:
npm install -g @runxhq/cli@0.6.13
runx --version: runx-cli 0.6.13- Registry:
https://api.runx.ai
- Package ref:
runx/dependency-cve-audit@sha-e11c90bbeb16
Reproduction
runx registry read runx/dependency-cve-audit@sha-e11c90bbeb16 --registry https://api.runx.ai --json
runx add runx/dependency-cve-audit@sha-e11c90bbeb16 --registry https://api.runx.ai --to ./dependency-cve-audit --json
runx skill inspect ./dependency-cve-audit/runx/dependency-cve-audit/sha-e11c90bbeb16/SKILL.md --json
runx skill ./dependency-cve-audit/runx/dependency-cve-audit/sha-e11c90bbeb16/SKILL.md \
-i target_name="OWASP NodeGoat" \
-i target_repo=https://github.com/OWASP/NodeGoat \
-i target_ref=c5cb68a7084e4ae7dcc60e6a98768720a81841e8 \
-i package_lock_url=https://raw.githubusercontent.com/OWASP/NodeGoat/c5cb68a7084e4ae7dcc60e6a98768720a81841e8/package-lock.json \
-i scan_scope=direct \
-i include_dev=false \
-i output_dir=artifacts-docker/docker-smoke-cve \
--json
Observed
The runx skill command seals a failed receipt. The wrapper command returns JSON, but the nested skill execution fails:
execution.exit_code=1
closure.disposition=failed
closure.reason_code=process_failed
Error: Cannot find module '/.../dependency-cve-audit/runx/dependency-cve-audit/sha-e11c90bbeb16/run.mjs'
code: 'MODULE_NOT_FOUND'
Node.js v24.17.0
Expected
The installed public registry package should either include the entrypoint referenced by its published skill metadata or use a metadata/default-run path that resolves successfully after runx add.
Notes
This is not an install or registry-read failure; both succeeded. The failure is specific to the published package runtime path after installation.
Summary
While smoke-testing public registry package
runx/dependency-cve-audit@sha-e11c90bbeb16from a clean Docker environment,runx add,runx registry read, andrunx skill inspectsucceeded, but the published usage path failed at runtime because the installed package does not contain the expectedrun.mjsentrypoint.Environment
node:24-bookwormnpm install -g @runxhq/cli@0.6.13runx --version:runx-cli 0.6.13https://api.runx.airunx/dependency-cve-audit@sha-e11c90bbeb16Reproduction
Observed
The
runx skillcommand seals a failed receipt. The wrapper command returns JSON, but the nested skill execution fails:Expected
The installed public registry package should either include the entrypoint referenced by its published skill metadata or use a metadata/default-run path that resolves successfully after
runx add.Notes
This is not an install or registry-read failure; both succeeded. The failure is specific to the published package runtime path after installation.