registry  /  @massu/core  /  1.15.1

@massu/core@1.15.1

AI Engineering Governance MCP Server - Session memory, knowledge system, feature registry, code intelligence, rule enforcement, tiered tooling (12 free / 73 total), 56 workflow commands, 11 agents, 20+ patterns

Static Scan Results

scanned 10d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 25 file(s), 2.17 MB of source, external domains: code.claude.com, massu.ai, registry.massu.ai, unpkg.com

Source & flagged code

3 flagged · loading source
dist/hooks/post-tool-use.jsView file
1910severity: "high", L1911: description: "Use of eval() - code injection risk" L1912: },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/hooks/post-tool-use.jsView on unpkg · L1910
dist/cli.jsView file
67function findProjectRoot() { L68: const cwd = process.cwd(); L69: let dir = cwd; ... L79: while (true) { L80: if (existsSync(resolve(dir, "package.json"))) { L81: return dir; ... L178: }; L179: if (!_config.cloud?.apiKey && process.env.MASSU_API_KEY) { L180: _config.cloud = { ... L1429: created_at: r2.created_at, L1430: metadata: safeJsonParse(r2.metadata_json) ?? {} L1431: }));
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/cli.jsView on unpkg · L67
patterns/testing-patterns.mdView file
530patternName = generic_password severity = medium line = 530 matchedText = password...123'
Medium
Secret Pattern

Hardcoded password in patterns/testing-patterns.md

patterns/testing-patterns.mdView on unpkg · L530

Findings

1 High5 Medium7 Low
HighObfuscated Payload Loaderdist/cli.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternpatterns/testing-patterns.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/hooks/post-tool-use.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License