registry  /  @codyswann/lisa  /  2.187.0

@codyswann/lisa@2.187.0

Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 19 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 354 file(s), 2.18 MB of source, external domains: agents.md, api.expo.dev, api.github.com, github.com, opencode.ai, registry.npmjs.org

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = bash ./scripts/install-claude-plugins.sh || true; [ -d dist/configs ] || tsc || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bash ./scripts/install-claude-plugins.sh || true; [ -d dist/configs ] || tsc || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
harper-fabric/create-only/.github/workflows/deploy.ymlView file
72patternName = generic_password severity = medium line = 72 matchedText = password...}" \
Medium
Secret Pattern

Package contains a possible secret pattern.

harper-fabric/create-only/.github/workflows/deploy.ymlView on unpkg · L72
cdk/copy-overwrite/eslint.config.tsView file
26L27: const require = createRequire(import.meta.url); L28: const ignoreConfig = require("./eslint.ignore.config.json");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

cdk/copy-overwrite/eslint.config.tsView on unpkg · L26
harper-fabric/create-only/scripts/zap-baseline.shView file
path = harper-fabric/create-only/scripts/zap-baseline.sh kind = build_helper sizeBytes = 2921 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

harper-fabric/create-only/scripts/zap-baseline.shView on unpkg
typescript/copy-overwrite/.claude/hooks/worktree-create.shView file
path = typescript/copy-overwrite/.claude/hooks/worktree-create.sh kind = payload_in_excluded_dir sizeBytes = 2879 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

typescript/copy-overwrite/.claude/hooks/worktree-create.shView on unpkg
plugins/lisa-wiki-copilot/scripts/wiki-safety.mjsView file
14patternName = generic_password severity = medium line = 14 matchedText = password...D]",
Medium
Secret Pattern

Hardcoded password in plugins/lisa-wiki-copilot/scripts/wiki-safety.mjs

plugins/lisa-wiki-copilot/scripts/wiki-safety.mjsView on unpkg · L14
plugins/lisa-wiki/scripts/wiki-safety.mjsView file
14patternName = generic_password severity = medium line = 14 matchedText = password...D]",
Medium
Secret Pattern

Hardcoded password in plugins/lisa-wiki/scripts/wiki-safety.mjs

plugins/lisa-wiki/scripts/wiki-safety.mjsView on unpkg · L14
plugins/lisa-wiki-agy/scripts/wiki-safety.mjsView file
14patternName = generic_password severity = medium line = 14 matchedText = password...D]",
Medium
Secret Pattern

Hardcoded password in plugins/lisa-wiki-agy/scripts/wiki-safety.mjs

plugins/lisa-wiki-agy/scripts/wiki-safety.mjsView on unpkg · L14
plugins/lisa-wiki-cursor/scripts/wiki-safety.mjsView file
14patternName = generic_password severity = medium line = 14 matchedText = password...D]",
Medium
Secret Pattern

Hardcoded password in plugins/lisa-wiki-cursor/scripts/wiki-safety.mjs

plugins/lisa-wiki-cursor/scripts/wiki-safety.mjsView on unpkg · L14
plugins/src/wiki/scripts/wiki-safety.mjsView file
14patternName = generic_password severity = medium line = 14 matchedText = password...D]",
Medium
Secret Pattern

Hardcoded password in plugins/src/wiki/scripts/wiki-safety.mjs

plugins/src/wiki/scripts/wiki-safety.mjsView on unpkg · L14

Findings

2 High12 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPayload In Excluded Dirtypescript/copy-overwrite/.claude/hooks/worktree-create.sh
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patternharper-fabric/create-only/.github/workflows/deploy.yml
MediumDynamic Requirecdk/copy-overwrite/eslint.config.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperharper-fabric/create-only/scripts/zap-baseline.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternplugins/lisa-wiki-copilot/scripts/wiki-safety.mjs
MediumSecret Patternplugins/lisa-wiki/scripts/wiki-safety.mjs
MediumSecret Patternplugins/lisa-wiki-agy/scripts/wiki-safety.mjs
MediumSecret Patternplugins/lisa-wiki-cursor/scripts/wiki-safety.mjs
MediumSecret Patternplugins/src/wiki/scripts/wiki-safety.mjs
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings