registry  /  @hasna/instructions  /  0.4.5

@hasna/instructions@0.4.5

AI coding agent instruction & configuration manager — store, version, apply, and share all your AI coding configs. CLI + MCP + HTTP API (instructions-serve) + generated SDK + Dashboard.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 702 KB of source, external domains: 127.0.0.1, github.com, opencode.ai, truststore.pki.rds.amazonaws.com

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = mkdir -p $HOME/.hasna/instructions $HOME/.hasna/instructions/backups 2>/dev/null || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = mkdir -p $HOME/.hasna/instructions $HOME/.hasna/instructions/backups 2>/dev/null || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @hasna/instructions@0.4.0 matchedIdentity = npm:QGhhc25hL2luc3RydWN0aW9ucw:0.4.0 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
79function getDbPath() { L80: if (process.env["HASNA_INSTRUCTIONS_DB_PATH"]) { L81: return process.env["HASNA_INSTRUCTIONS_DB_PATH"]; ... L245: try { L246: const parsed = JSON.parse(row.outputs || "[]"); L247: outputs = Array.isArray(parsed) ? parsed : []; ... L484: function detectMachineContext(overrides = {}) { L485: const homeDir = overrides.home_dir ?? process.env["CONFIGS_HOME"] ?? process.env["HOME"] ?? homedir(); L486: const os = overrides.os ?? currentOsType(); ... L491: id: "current-machine", L492: hostname: overrides.hostname ?? currentHostname(), L493: os,
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L79

Findings

2 High5 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighPrevious Version Dangerous Deltadist/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings