registry  /  @dzhechkov/harness-core  /  0.3.43

@dzhechkov/harness-core@0.3.43

⚠ Under review

Shared harness logic - skill loading, additive apply, and the init/sync/verify/doctor operations.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 488 KB of source, external domains: api.github.com, api.npmjs.org, github.com, json-schema.org, raw.githubusercontent.com

Source & flagged code

6 flagged · loading source
dist/publish.jsView file
8import { join } from 'node:path'; L9: import { execSync } from 'node:child_process'; L10: /** Bump patch version: 0.3.11 → 0.3.12 */
High
Child Process

Package source references child process execution.

dist/publish.jsView on unpkg · L8
dist/setup.jsView file
104const child = process.platform === 'win32' L105: ? spawn('dz consolidate --project "' + ROOT + '"', { detached: true, stdio: 'ignore', shell: true, cwd: ROOT }) L106: : spawn('dz', ['consolidate', '--project', ROOT], { detached: true, stdio: 'ignore', cwd: ROOT });
High
Shell

Package source references shell execution.

dist/setup.jsView on unpkg · L104
231// local copy away from the version the MCP registration pins (audit gap G7). L232: execSync('npm install agentdb better-sqlite3 --save-exact --no-audit --no-fund --loglevel=error', { L233: cwd: projectRoot,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/setup.jsView on unpkg · L231
dist/patterns.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @dzhechkov/harness-core@0.3.41 matchedIdentity = npm:QGR6aGVjaGtvdi9oYXJuZXNzLWNvcmU:0.3.41 similarity = 0.840 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/patterns.jsView on unpkg
530try { L531: const req = createRequire(join(projectRoot, 'package.json')); L532: sqliteUrl = pathToFileURL(req.resolve('better-sqlite3')).href;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/patterns.jsView on unpkg · L530
dist/upgrade.jsView file
1/** L2: * Skill upgrade — detects installed skills and re-applies from canonical source.
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/upgrade.jsView on unpkg · L1

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/patterns.js
HighChild Processdist/publish.js
HighShelldist/setup.js
HighRuntime Package Installdist/setup.js
MediumDynamic Requiredist/patterns.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/upgrade.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings