registry  /  @mmerterden/multi-agent-pipeline  /  10.4.0

@mmerterden/multi-agent-pipeline@10.4.0

8-phase AI development pipeline with full orchestration on Claude Code, Copilot CLI, Cursor, Antigravity, and VS Code Copilot Chat. Analysis, planning, TDD, CLI-aware parallel review with consensus surfacing + Opus triage, default-FAIL evidence gates, sec

Static Scan Results

scanned 8d ago · by rust-scanner

Static analysis flagged 24 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 60 file(s), 374 KB of source, external domains: github.com, mmerterden.vercel.app

Source & flagged code

17 flagged · loading source
pipeline/scripts/smoke-pre-commit.shView file
81patternName = aws_access_key severity = critical line = 81 matchedText = 'aws_key...LE"'
Critical
Critical Secret

Package contains a critical-looking secret pattern.

pipeline/scripts/smoke-pre-commit.shView on unpkg · L81
81patternName = aws_access_key severity = critical line = 81 matchedText = 'aws_key...LE"'
Critical
Secret Pattern

AWS access key ID in pipeline/scripts/smoke-pre-commit.sh

pipeline/scripts/smoke-pre-commit.shView on unpkg · L81
85patternName = private_key_rsa severity = critical line = 85 matchedText = '-----BE...---'
Critical
Secret Pattern

RSA private key in pipeline/scripts/smoke-pre-commit.sh

pipeline/scripts/smoke-pre-commit.shView on unpkg · L85
89patternName = private_key_rsa severity = critical line = 89 matchedText = '-----BE...---'
Critical
Secret Pattern

RSA private key in pipeline/scripts/smoke-pre-commit.sh

pipeline/scripts/smoke-pre-commit.shView on unpkg · L89
93patternName = private_key_ec severity = critical line = 93 matchedText = '-----BE...---'
Critical
Secret Pattern

EC private key in pipeline/scripts/smoke-pre-commit.sh

pipeline/scripts/smoke-pre-commit.shView on unpkg · L93
101patternName = github_pat severity = critical line = 101 matchedText = 'token: ...789'
Critical
Secret Pattern

GitHub personal access token in pipeline/scripts/smoke-pre-commit.sh

pipeline/scripts/smoke-pre-commit.shView on unpkg · L101
121patternName = github_pat severity = critical line = 121 matchedText = 'token: ...789'
Critical
Secret Pattern

GitHub personal access token in pipeline/scripts/smoke-pre-commit.sh

pipeline/scripts/smoke-pre-commit.shView on unpkg · L121
109patternName = google_api_key severity = high line = 109 matchedText = 'gmaps =...uv"'
High
Secret Pattern

Google API key in pipeline/scripts/smoke-pre-commit.sh

pipeline/scripts/smoke-pre-commit.shView on unpkg · L109
pipeline/scripts/uninstall.mjsView file
294try { L295: const adapter = (await import(join(PIPELINE_ROOT, "adapters", "cursor.mjs"))).default; L296: const result = adapter.uninstall({ target: adapterTarget });
Medium
Dynamic Require

Package source references dynamic require/import behavior.

pipeline/scripts/uninstall.mjsView on unpkg · L294
install/_telemetry.mjsView file
9L10: import { execSync } from "child_process"; L11: import { readFileSync } from "fs"; ... L15: /** L16: * Run a shell command silently and return its trimmed stdout, or undefined on error. L17: * @param {string} cmd ... L34: export async function sendInstallTelemetry(ctx) { L35: if (process.env.MULTI_AGENT_TELEMETRY !== "1") return; L36: ... L40: else if (process.env.npm[redacted] === "true") method = "global"; L41: else if (process.env.npm[redacted] === "install") method = "npm-install"; L42:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

install/_telemetry.mjsView on unpkg · L9
pipeline/scripts/smoke-md2confluence.shView file
path = pipeline/scripts/smoke-md2confluence.sh kind = build_helper sizeBytes = 3800 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

pipeline/scripts/smoke-md2confluence.shView on unpkg
pipeline/skills/shared/external/swift-security/references/cryptokit-symmetric.mdView file
309patternName = generic_password severity = medium line = 309 matchedText = let pass...123"
Medium
Secret Pattern

Hardcoded password in pipeline/skills/shared/external/swift-security/references/cryptokit-symmetric.md

pipeline/skills/shared/external/swift-security/references/cryptokit-symmetric.mdView on unpkg · L309
pipeline/skills/shared/external/swift-security/references/cryptokit-public-key.mdView file
359patternName = private_key_rsa severity = critical line = 359 matchedText = CryptoKi...ies.
Critical
Secret Pattern

RSA private key in pipeline/skills/shared/external/swift-security/references/cryptokit-public-key.md

pipeline/skills/shared/external/swift-security/references/cryptokit-public-key.mdView on unpkg · L359
359patternName = private_key_ec severity = critical line = 359 matchedText = CryptoKi...ies.
Critical
Secret Pattern

EC private key in pipeline/skills/shared/external/swift-security/references/cryptokit-public-key.md

pipeline/skills/shared/external/swift-security/references/cryptokit-public-key.mdView on unpkg · L359
pipeline/skills/shared/external/swift-security/references/keychain-sharing.mdView file
142patternName = generic_password severity = medium line = 142 matchedText = let pass...f8)!
Medium
Secret Pattern

Hardcoded password in pipeline/skills/shared/external/swift-security/references/keychain-sharing.md

pipeline/skills/shared/external/swift-security/references/keychain-sharing.mdView on unpkg · L142
pipeline/skills/shared/external/swift-testing/references/testing-patterns.mdView file
437patternName = generic_password severity = medium line = 437 matchedText = let home...rd")
Medium
Secret Pattern

Hardcoded password in pipeline/skills/shared/external/swift-testing/references/testing-patterns.md

pipeline/skills/shared/external/swift-testing/references/testing-patterns.mdView on unpkg · L437
pipeline/skills/shared/external/web-testing/SKILL.mdView file
162patternName = generic_password severity = medium line = 162 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in pipeline/skills/shared/external/web-testing/SKILL.md

pipeline/skills/shared/external/web-testing/SKILL.mdView on unpkg · L162

Findings

9 Critical2 High9 Medium4 Low
CriticalCritical Secretpipeline/scripts/smoke-pre-commit.sh
CriticalSecret Patternpipeline/scripts/smoke-pre-commit.sh
CriticalSecret Patternpipeline/scripts/smoke-pre-commit.sh
CriticalSecret Patternpipeline/scripts/smoke-pre-commit.sh
CriticalSecret Patternpipeline/scripts/smoke-pre-commit.sh
CriticalSecret Patternpipeline/scripts/smoke-pre-commit.sh
CriticalSecret Patternpipeline/scripts/smoke-pre-commit.sh
CriticalSecret Patternpipeline/skills/shared/external/swift-security/references/cryptokit-public-key.md
CriticalSecret Patternpipeline/skills/shared/external/swift-security/references/cryptokit-public-key.md
HighSandbox Evasion Gated Capabilityinstall/_telemetry.mjs
HighSecret Patternpipeline/scripts/smoke-pre-commit.sh
MediumDynamic Requirepipeline/scripts/uninstall.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperpipeline/scripts/smoke-md2confluence.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternpipeline/skills/shared/external/swift-security/references/cryptokit-symmetric.md
MediumSecret Patternpipeline/skills/shared/external/swift-security/references/keychain-sharing.md
MediumSecret Patternpipeline/skills/shared/external/swift-testing/references/testing-patterns.md
MediumSecret Patternpipeline/skills/shared/external/web-testing/SKILL.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings