registry  /  @codyswann/lisa  /  2.189.1

@codyswann/lisa@2.189.1

Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 20 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 355 file(s), 2.19 MB of source, external domains: agents.md, api.expo.dev, api.github.com, github.com, opencode.ai, registry.npmjs.org

Source & flagged code

12 flagged · loading source
package.jsonView file
scripts.postinstall = bash ./scripts/install-claude-plugins.sh || true; [ -d dist/configs ] || tsc || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = bash ./scripts/install-claude-plugins.sh || true; [ -d dist/configs ] || tsc || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
harper-fabric/create-only/.github/workflows/deploy.ymlView file
72patternName = generic_password severity = medium line = 72 matchedText = password...}" \
Medium
Secret Pattern

Package contains a possible secret pattern.

harper-fabric/create-only/.github/workflows/deploy.ymlView on unpkg · L72
cdk/copy-overwrite/eslint.config.tsView file
26L27: const require = createRequire(import.meta.url); L28: const ignoreConfig = require("./eslint.ignore.config.json");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

cdk/copy-overwrite/eslint.config.tsView on unpkg · L26
harper-fabric/create-only/scripts/zap-baseline.shView file
path = harper-fabric/create-only/scripts/zap-baseline.sh kind = build_helper sizeBytes = 2921 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

harper-fabric/create-only/scripts/zap-baseline.shView on unpkg
typescript/copy-overwrite/.claude/hooks/worktree-create.shView file
path = typescript/copy-overwrite/.claude/hooks/worktree-create.sh kind = payload_in_excluded_dir sizeBytes = 2879 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

typescript/copy-overwrite/.claude/hooks/worktree-create.shView on unpkg
scripts/detect-stale-workflow-inputs.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @codyswann/lisa@2.188.4 matchedIdentity = npm:QGNvZHlzd2Fubi9saXNh:2.188.4 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/detect-stale-workflow-inputs.mjsView on unpkg
plugins/lisa-wiki-copilot/scripts/wiki-safety.mjsView file
14patternName = generic_password severity = medium line = 14 matchedText = password...D]",
Medium
Secret Pattern

Hardcoded password in plugins/lisa-wiki-copilot/scripts/wiki-safety.mjs

plugins/lisa-wiki-copilot/scripts/wiki-safety.mjsView on unpkg · L14
plugins/lisa-wiki/scripts/wiki-safety.mjsView file
14patternName = generic_password severity = medium line = 14 matchedText = password...D]",
Medium
Secret Pattern

Hardcoded password in plugins/lisa-wiki/scripts/wiki-safety.mjs

plugins/lisa-wiki/scripts/wiki-safety.mjsView on unpkg · L14
plugins/lisa-wiki-agy/scripts/wiki-safety.mjsView file
14patternName = generic_password severity = medium line = 14 matchedText = password...D]",
Medium
Secret Pattern

Hardcoded password in plugins/lisa-wiki-agy/scripts/wiki-safety.mjs

plugins/lisa-wiki-agy/scripts/wiki-safety.mjsView on unpkg · L14
plugins/lisa-wiki-cursor/scripts/wiki-safety.mjsView file
14patternName = generic_password severity = medium line = 14 matchedText = password...D]",
Medium
Secret Pattern

Hardcoded password in plugins/lisa-wiki-cursor/scripts/wiki-safety.mjs

plugins/lisa-wiki-cursor/scripts/wiki-safety.mjsView on unpkg · L14
plugins/src/wiki/scripts/wiki-safety.mjsView file
14patternName = generic_password severity = medium line = 14 matchedText = password...D]",
Medium
Secret Pattern

Hardcoded password in plugins/src/wiki/scripts/wiki-safety.mjs

plugins/src/wiki/scripts/wiki-safety.mjsView on unpkg · L14

Findings

3 High12 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPayload In Excluded Dirtypescript/copy-overwrite/.claude/hooks/worktree-create.sh
HighPrevious Version Dangerous Deltascripts/detect-stale-workflow-inputs.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patternharper-fabric/create-only/.github/workflows/deploy.yml
MediumDynamic Requirecdk/copy-overwrite/eslint.config.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperharper-fabric/create-only/scripts/zap-baseline.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternplugins/lisa-wiki-copilot/scripts/wiki-safety.mjs
MediumSecret Patternplugins/lisa-wiki/scripts/wiki-safety.mjs
MediumSecret Patternplugins/lisa-wiki-agy/scripts/wiki-safety.mjs
MediumSecret Patternplugins/lisa-wiki-cursor/scripts/wiki-safety.mjs
MediumSecret Patternplugins/src/wiki/scripts/wiki-safety.mjs
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings