registry  /  @dzhechkov/harness-core  /  0.3.40

@dzhechkov/harness-core@0.3.40

Shared harness logic - skill loading, additive apply, and the init/sync/verify/doctor operations.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 432 KB of source, external domains: api.github.com, api.npmjs.org, github.com, json-schema.org, raw.githubusercontent.com

Source & flagged code

3 flagged · loading source
dist/publish.jsView file
8import { join } from 'node:path'; L9: import { execSync } from 'node:child_process'; L10: /** Bump patch version: 0.3.11 → 0.3.12 */
High
Child Process

Package source references child process execution.

dist/publish.jsView on unpkg · L8
dist/upgrade.jsView file
1/** L2: * Skill upgrade — detects installed skills and re-applies from canonical source.
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/upgrade.jsView on unpkg · L1
dist/setup.jsView file
26type: 'command', L27: command: `node -e "const fs=require('fs');const d=new Date().toISOString();try{require('child_process').execSync('npx agentdb add \\'${rvfPath}\\' \\'session-start: '+d+'\\'',{stdi... L28: }],
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/setup.jsView on unpkg · L26

Findings

3 High3 Medium5 Low
HighChild Processdist/publish.js
HighShell
HighRuntime Package Installdist/setup.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/upgrade.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings