registry  /  @meetless/mla  /  0.2.6

@meetless/mla@0.2.6

Meetless CLI (mla): governed change-control and knowledge for AI coding agents.

Static Scan Results

scanned 8h ago · by rust-scanner

Static analysis completed at 93.0% confidence. No malicious behavior was detected; 11 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 234 file(s), 2.67 MB of source, external domains: 127.0.0.1, app.meetless.ai, cloud.langfuse.com, control.meetless.ai, github.com, intel.meetless.ai, json-schema.org, meetless.ai, raw.githubusercontent.com, spec.openapis.org, stackoverflow.com, storage.googleapis.com, tools.ietf.org, www.safaribooksonline.com, www.w3.org

Source & flagged code

4 flagged · loading source
dist/commands/ask.jsView file
100// (dist/commands -> dist -> cli -> packages). L101: const trueDynamicImport = new Function("u", "return import(u)"); L102: function askCoreDir() {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/commands/ask.jsView on unpkg · L100
dist/connectors/claude-code/plugin-detect.jsView file
58// 64KB, GH #36685): the command redirects to a temp file we then read whole. L59: const fs = __importStar(require("fs")); L60: const os = __importStar(require("os"));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/connectors/claude-code/plugin-detect.jsView on unpkg · L58
dist/hooks-template/user-prompt-submit.shView file
path = dist/hooks-template/user-prompt-submit.sh kind = build_helper sizeBytes = 85228 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/hooks-template/user-prompt-submit.shView on unpkg
dist/commands/activate.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @meetless/mla@0.2.1 matchedIdentity = npm:QG1lZXRsZXNzL21sYQ:0.2.1 similarity = 0.883 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/activate.jsView on unpkg

Findings

1 High5 Medium5 Low
HighPrevious Version Dangerous Deltadist/commands/activate.js
MediumDynamic Requiredist/connectors/claude-code/plugin-detect.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdist/hooks-template/user-prompt-submit.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/commands/ask.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings