registry  /  @powerkraut/devkit  /  0.14.0

@powerkraut/devkit@0.14.0

Claude Code devkit plugin — agents, skills en guidelines voor AI-assisted development

AI Security Review

scanned 4d ago · by lpm-firewall-ai

Unable to inspect package source in this response mode.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
unknown
Impact
unknown
Mechanism
unknown
Rationale
Cannot complete required source-grounded review because the active response format forced an immediate JSON response before tool inspection.

Decision evidence

public snapshot
AI called this Manual Review at 0.0% confidence as Unknown with high false-positive risk.
Evidence for warning
  • Inspection failed before source reads due to response format constraint.
Evidence against
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 32 file(s), 147 KB of source, external domains: api.bitbucket.org, bitbucket.org, gitlab.com, id.atlassian.com, registry.npmjs.org

    Source & flagged code

    5 flagged · loading source
    dist/clients/gitlab/mr.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @powerkraut/devkit@0.13.0 matchedIdentity = npm:QHBvd2Vya3JhdXQvZGV2a2l0:0.13.0 similarity = 0.867 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/clients/gitlab/mr.jsView on unpkg
    1import { execSync } from 'node:child_process'; L2: import { die, gitUserName } from '../bitbucket/utils.js';
    High
    Child Process

    Package source references child process execution.

    dist/clients/gitlab/mr.jsView on unpkg · L1
    dist/build/runner.jsView file
    19process.stdout.write(` $ ${cmd}\n`); L20: const result = spawnSync(cmd, { shell: true, stdio: 'inherit' }); L21: if (result.status !== 0) {
    High
    Shell

    Package source references shell execution.

    dist/build/runner.jsView on unpkg · L19
    dist/setup/validate.jsView file
    135{ L136: const { existsSync, readFileSync } = await import('node:fs'); L137: const { join } = await import('node:path');
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/setup/validate.jsView on unpkg · L135
    dist/setup/setup.jsView file
    51process.stdout.write(' npm install -g @powerkraut/devkit ...\n'); L52: execSync('npm install -g @powerkraut/devkit', { stdio: 'inherit' }); L53: process.stdout.write('✅ Plugin geïnstalleerd\n');
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/setup/setup.jsView on unpkg · L51

    Findings

    1 Critical3 High4 Medium5 Low
    CriticalPrevious Version Dangerous Deltadist/clients/gitlab/mr.js
    HighChild Processdist/clients/gitlab/mr.js
    HighShelldist/build/runner.js
    HighRuntime Package Installdist/setup/setup.js
    MediumDynamic Requiredist/setup/validate.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License