registry  /  @jokerized/getresearchdone  /  0.4.9

@jokerized/getresearchdone@0.4.9

Get Research Done — R&D workflow automation for Claude Code

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 336 file(s), 4.47 MB of source, external domains: 127.0.0.1, api.openai.com, api.semanticscholar.org, arxiv.org, bun.sh, export.arxiv.org

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node bin/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node bin/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/lib/research/runner.jsView file
5// so the generated script path cannot inject shell commands. L6: const { execFileSync } = require('child_process'); L7: function parseMetricsLine(stdout) {
High
Child Process

Package source references child process execution.

dist/lib/research/runner.jsView on unpkg · L5
bin/grd-mcp-server.tsView file
45McpServer: McpServerConstructor; L46: } = require('../lib/mcp-server'); L47:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/grd-mcp-server.tsView on unpkg · L45
dist/lib/research/fetch.jsView file
141const { resp, finalUrl, maxBytes } = await httpResolve(url, opts); L142: const body = await resp.text(); L143: if (body.length > maxBytes) ... L189: '', L190: `_Source: https://arxiv.org/abs/${id}_`, L191: '', ... L239: async function fetchSource(cwd, input, opts = {}) { L240: const d = detectSource(cwd, input, { pdfBody: opts.pdfBody }); L241: if (d.kind === 'local')
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/lib/research/fetch.jsView on unpkg · L141
dist/lib/autoresearch.js#virtual:normalized:round1View file
106case 'test_count': { L107: const result = child_process.spawnSync('npx', ['jest', '--json', '--silent'], { L108: cwd,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/lib/autoresearch.js#virtual:normalized:round1View on unpkg · L106
bin/harness_driver.pyView file
path = bin/harness_driver.py kind = build_helper sizeBytes = 37140 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/harness_driver.pyView on unpkg

Findings

4 High6 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/lib/research/runner.js
HighShell
HighRuntime Package Installdist/lib/autoresearch.js#virtual:normalized:round1
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/grd-mcp-server.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/harness_driver.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/lib/research/fetch.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License