registry  /  @pilotspace/add  /  1.15.0

@pilotspace/add@1.15.0

ADD (AI-Driven Development). One skill. Eight steps. Five disciplines. Every feature ships through the loop — a minimal, state-tracked Claude Code skill that ships the AIDD book as its trust layer.

Static Scan Results

scanned 3d ago · by rust-scanner

Static analysis flagged 12 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
CryptoDynamicRequireEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 61.9 KB of source

Source & flagged code

6 flagged · loading source
personas-teacher/security/security-senior-secops.mdView file
47patternName = private_key_ec severity = critical line = 47 matchedText = -----BEG...----
Critical
Critical Secret

Package contains a critical-looking secret pattern.

personas-teacher/security/security-senior-secops.mdView on unpkg · L47
46patternName = private_key_rsa severity = critical line = 46 matchedText = -----BEG...----
Critical
Secret Pattern

RSA private key in personas-teacher/security/security-senior-secops.md

personas-teacher/security/security-senior-secops.mdView on unpkg · L46
47patternName = private_key_ec severity = critical line = 47 matchedText = -----BEG...----
Critical
Secret Pattern

EC private key in personas-teacher/security/security-senior-secops.md

personas-teacher/security/security-senior-secops.mdView on unpkg · L47
bin/cli.jsView file
18* One lazy, optional dependency (@clack/prompts) powers the interactive flow on a real L19: * terminal; it is dynamic-import()ed ONLY on that path, so a non-interactive / CI run L20: * (and the `--yes` / `--non-interactive` path) never loads it and degrades to plain text
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/cli.jsView on unpkg · L18
30L31: const PKG_ROOT = path.resolve(__dirname, ".."); L32: L33: function log(msg) { process.stdout.write(msg + "\n"); } L34: function warn(msg) { process.stderr.write("warn: " + msg + "\n"); } ... L153: try { L154: const dirs = (process.env.PATH || "").split(path.delimiter).filter(Boolean); L155: const exts = process.platform === "win32" L156: ? (process.env.PATHEXT || ".EXE;.CMD;.BAT").split(";") ... L470: if (!process.stdin.isTTY) return { cancelled: true, target: target }; L471: const chosen = await clack.text({ L472: message: "Install ADD into which directory?",
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/cli.jsView on unpkg · L30
tooling/add.pyView file
path = tooling/add.py kind = build_helper sizeBytes = 399120 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

tooling/add.pyView on unpkg

Findings

3 Critical4 Medium5 Low
CriticalCritical Secretpersonas-teacher/security/security-senior-secops.md
CriticalSecret Patternpersonas-teacher/security/security-senior-secops.md
CriticalSecret Patternpersonas-teacher/security/security-senior-secops.md
MediumDynamic Requirebin/cli.js
MediumEnvironment Vars
MediumShips Build Helpertooling/add.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptobin/cli.js
LowFilesystem
LowHigh Entropy Strings