registry  /  @ikon85/agent-workflow-kit  /  0.14.0

@ikon85/agent-workflow-kit@0.14.0

⚠ Under review

Portable AI-agent workflow skills (plan → execute → land → learn) for Claude Code & Codex — grilling, TDD, diagnosis, two-axis code review, cross-model Codex review, design & domain-modeling, plus a skill router (ask-matt). npx init/update/diff/uninstall.

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 39 file(s), 132 KB of source, external domains: github.com, testreporter.iverra.de

Source & flagged code

5 flagged · loading source
scripts/release-state.mjsView file
1import { execFile } from 'node:child_process'; L2: import { mkdtemp, rm } from 'node:fs/promises';
High
Child Process

Package source references child process execution.

scripts/release-state.mjsView on unpkg · L1
scripts/build-kit.test.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @ikon85/agent-workflow-kit@0.11.0 matchedIdentity = npm:[redacted]:0.11.0 similarity = 0.846 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/build-kit.test.mjsView on unpkg
51test('npm pack keeps the complete scripts tree but excludes Python caches', () => { L52: const output = execFileSync('npm', ['pack', '--dry-run', '--json'], { L53: cwd: REPO, encoding: 'utf8', ... L65: L66: test('packed scoped artifact keeps the existing npx default-bin inference', async () => { L67: const destination = await mkdtemp(join(tmpdir(), 'awkit-pack-'));
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/build-kit.test.mjsView on unpkg · L51
.agents/skills/diagnose/scripts/hitl-loop.template.shView file
path = .[redacted]-loop.template.sh kind = payload_in_excluded_dir sizeBytes = 1164 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.agents/skills/diagnose/scripts/hitl-loop.template.shView on unpkg
path = .[redacted]-loop.template.sh kind = build_helper sizeBytes = 1164 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

.agents/skills/diagnose/scripts/hitl-loop.template.shView on unpkg

Findings

1 Critical4 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltascripts/build-kit.test.mjs
HighChild Processscripts/release-state.mjs
HighShell
HighRuntime Package Installscripts/build-kit.test.mjs
HighPayload In Excluded Dir.agents/skills/diagnose/scripts/hitl-loop.template.sh
MediumEnvironment Vars
MediumShips Build Helper.agents/skills/diagnose/scripts/hitl-loop.template.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings