registry  /  @mmerterden/multi-agent-pipeline  /  11.3.1

@mmerterden/multi-agent-pipeline@11.3.1

8-phase AI development pipeline with full orchestration on Claude Code and Copilot CLI. Analysis, planning, TDD, CLI-aware parallel review with consensus surfacing + Fable triage, default-FAIL evidence gates, secret + intent guards, per-phase cost ledger,

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 25 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 56 file(s), 333 KB of source, external domains: github.com, mmerterden.vercel.app

Source & flagged code

18 flagged · loading source
pipeline/scripts/smoke-pre-commit.shView file
81patternName = aws_access_key severity = critical line = 81 matchedText = 'aws_key...LE"'
Critical
Critical Secret

Package contains a critical-looking secret pattern.

pipeline/scripts/smoke-pre-commit.shView on unpkg · L81
81patternName = aws_access_key severity = critical line = 81 matchedText = 'aws_key...LE"'
Critical
Secret Pattern

AWS access key ID in pipeline/scripts/smoke-pre-commit.sh

pipeline/scripts/smoke-pre-commit.shView on unpkg · L81
85patternName = private_key_rsa severity = critical line = 85 matchedText = '-----BE...---'
Critical
Secret Pattern

RSA private key in pipeline/scripts/smoke-pre-commit.sh

pipeline/scripts/smoke-pre-commit.shView on unpkg · L85
89patternName = private_key_rsa severity = critical line = 89 matchedText = '-----BE...---'
Critical
Secret Pattern

RSA private key in pipeline/scripts/smoke-pre-commit.sh

pipeline/scripts/smoke-pre-commit.shView on unpkg · L89
93patternName = private_key_ec severity = critical line = 93 matchedText = '-----BE...---'
Critical
Secret Pattern

EC private key in pipeline/scripts/smoke-pre-commit.sh

pipeline/scripts/smoke-pre-commit.shView on unpkg · L93
101patternName = github_pat severity = critical line = 101 matchedText = 'token: ...789'
Critical
Secret Pattern

GitHub personal access token in pipeline/scripts/smoke-pre-commit.sh

pipeline/scripts/smoke-pre-commit.shView on unpkg · L101
121patternName = github_pat severity = critical line = 121 matchedText = 'token: ...789'
Critical
Secret Pattern

GitHub personal access token in pipeline/scripts/smoke-pre-commit.sh

pipeline/scripts/smoke-pre-commit.shView on unpkg · L121
109patternName = google_api_key severity = high line = 109 matchedText = 'gmaps =...uv"'
High
Secret Pattern

Google API key in pipeline/scripts/smoke-pre-commit.sh

pipeline/scripts/smoke-pre-commit.shView on unpkg · L109
pipeline/scripts/migrate-state.mjsView file
184try { L185: const mod = await import(pathToFileURL(step.path).href); L186: if (typeof mod.default !== "function") {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

pipeline/scripts/migrate-state.mjsView on unpkg · L184
install/_telemetry.mjsView file
9L10: import { execSync } from "child_process"; L11: import { readFileSync } from "fs"; ... L15: /** L16: * Run a shell command silently and return its trimmed stdout, or undefined on error. L17: * @param {string} cmd ... L34: export async function sendInstallTelemetry(ctx) { L35: if (process.env.MULTI_AGENT_TELEMETRY !== "1") return; L36: ... L40: else if (process.env.npm[redacted] === "true") method = "global"; L41: else if (process.env.npm[redacted] === "install") method = "npm-install"; L42:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

install/_telemetry.mjsView on unpkg · L9
pipeline/scripts/smoke-md2confluence.shView file
path = pipeline/scripts/smoke-md2confluence.sh kind = build_helper sizeBytes = 3800 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

pipeline/scripts/smoke-md2confluence.shView on unpkg
pipeline/scripts/lint-skills.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @mmerterden/multi-agent-pipeline@11.3.0 matchedIdentity = npm:[redacted]:11.3.0 similarity = 0.909 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

pipeline/scripts/lint-skills.mjsView on unpkg
pipeline/skills/shared/external/swift-security/references/cryptokit-symmetric.mdView file
309patternName = generic_password severity = medium line = 309 matchedText = let pass...123"
Medium
Secret Pattern

Hardcoded password in pipeline/skills/shared/external/swift-security/references/cryptokit-symmetric.md

pipeline/skills/shared/external/swift-security/references/cryptokit-symmetric.mdView on unpkg · L309
pipeline/skills/shared/external/swift-security/references/cryptokit-public-key.mdView file
359patternName = private_key_rsa severity = critical line = 359 matchedText = CryptoKi...ies.
Critical
Secret Pattern

RSA private key in pipeline/skills/shared/external/swift-security/references/cryptokit-public-key.md

pipeline/skills/shared/external/swift-security/references/cryptokit-public-key.mdView on unpkg · L359
359patternName = private_key_ec severity = critical line = 359 matchedText = CryptoKi...ies.
Critical
Secret Pattern

EC private key in pipeline/skills/shared/external/swift-security/references/cryptokit-public-key.md

pipeline/skills/shared/external/swift-security/references/cryptokit-public-key.mdView on unpkg · L359
pipeline/skills/shared/external/swift-security/references/keychain-sharing.mdView file
142patternName = generic_password severity = medium line = 142 matchedText = let pass...f8)!
Medium
Secret Pattern

Hardcoded password in pipeline/skills/shared/external/swift-security/references/keychain-sharing.md

pipeline/skills/shared/external/swift-security/references/keychain-sharing.mdView on unpkg · L142
pipeline/skills/shared/external/swift-testing/references/testing-patterns.mdView file
437patternName = generic_password severity = medium line = 437 matchedText = let home...rd")
Medium
Secret Pattern

Hardcoded password in pipeline/skills/shared/external/swift-testing/references/testing-patterns.md

pipeline/skills/shared/external/swift-testing/references/testing-patterns.mdView on unpkg · L437
pipeline/skills/shared/external/web-testing/SKILL.mdView file
162patternName = generic_password severity = medium line = 162 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in pipeline/skills/shared/external/web-testing/SKILL.md

pipeline/skills/shared/external/web-testing/SKILL.mdView on unpkg · L162

Findings

9 Critical3 High9 Medium4 Low
CriticalCritical Secretpipeline/scripts/smoke-pre-commit.sh
CriticalSecret Patternpipeline/scripts/smoke-pre-commit.sh
CriticalSecret Patternpipeline/scripts/smoke-pre-commit.sh
CriticalSecret Patternpipeline/scripts/smoke-pre-commit.sh
CriticalSecret Patternpipeline/scripts/smoke-pre-commit.sh
CriticalSecret Patternpipeline/scripts/smoke-pre-commit.sh
CriticalSecret Patternpipeline/scripts/smoke-pre-commit.sh
CriticalSecret Patternpipeline/skills/shared/external/swift-security/references/cryptokit-public-key.md
CriticalSecret Patternpipeline/skills/shared/external/swift-security/references/cryptokit-public-key.md
HighSandbox Evasion Gated Capabilityinstall/_telemetry.mjs
HighPrevious Version Dangerous Deltapipeline/scripts/lint-skills.mjs
HighSecret Patternpipeline/scripts/smoke-pre-commit.sh
MediumDynamic Requirepipeline/scripts/migrate-state.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperpipeline/scripts/smoke-md2confluence.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternpipeline/skills/shared/external/swift-security/references/cryptokit-symmetric.md
MediumSecret Patternpipeline/skills/shared/external/swift-security/references/keychain-sharing.md
MediumSecret Patternpipeline/skills/shared/external/swift-testing/references/testing-patterns.md
MediumSecret Patternpipeline/skills/shared/external/web-testing/SKILL.md
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings