registry  /  @massu/core  /  1.15.7

@massu/core@1.15.7

AI Engineering Governance MCP Server - Session memory, knowledge system, feature registry, code intelligence, rule enforcement, tiered tooling (12 free / 73 total), 56 workflow commands, 11 agents, 20+ patterns

Static Scan Results

scanned 1d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 26 file(s), 4.15 MB of source, external domains: api.massu.ai, massu.ai, registry.massu.ai, unpkg.com

Source & flagged code

5 flagged · loading source
dist/hooks/post-tool-use.jsView file
1198try { L1199: const req = createRequire(import.meta.url); L1200: const main2 = req.resolve(ORT_PKG);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/hooks/post-tool-use.jsView on unpkg · L1198
4094severity: "high", L4095: description: "Use of eval() - code injection risk" L4096: },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/hooks/post-tool-use.jsView on unpkg · L4094
dist/hooks/security-gate.jsView file
49} from "fs"; L50: function credentialsDir(home = homedir()) { L51: return resolve(home, ".massu"); ... L59: if (!existsSync(p)) return void 0; L60: const parsed = JSON.parse(readFileSync(p, "utf-8")); L61: const key = typeof parsed?.apiKey === "string" ? parsed.apiKey.trim() : ""; ... L70: function resolveApiKey(opts = {}) { L71: const env = opts.env ?? process.env; L72: const home = opts.home ?? homedir(); ... L102: MASSU_ENV_CLOUD_ENDPOINT = "MASSU_CLOUD_ENDPOINT"; L103: DEFAULT_CLOUD_ENDPOINT = "https://api.massu.ai/v1"; L104: }
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/hooks/security-gate.jsView on unpkg · L49
dist/hooks/memory-recall.jsView file
850package = @massu/core; repositoryIdentity = massu; dependency = better-sqlite3 L850: // src/db-backup.ts L851: import Database from "better-sqlite3"; L852: import { existsSync as existsSync3, mkdirSync as mkdirSync2, readdirSync, statSync, unlinkSync, copyFileSync, rmSync as rmSync2 } from "fs";
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/hooks/memory-recall.jsView on unpkg · L850
patterns/testing-patterns.mdView file
532patternName = generic_password severity = medium line = 532 matchedText = password...123'
Medium
Secret Pattern

Hardcoded password in patterns/testing-patterns.md

patterns/testing-patterns.mdView on unpkg · L532

Findings

2 High5 Medium7 Low
HighObfuscated Payload Loaderdist/hooks/security-gate.js
HighCopied Package Dependency Bridgedist/hooks/memory-recall.js
MediumDynamic Requiredist/hooks/post-tool-use.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternpatterns/testing-patterns.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/hooks/post-tool-use.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License