registry  /  @sdsrs/agentsmd  /  2.14.0

@sdsrs/agentsmd@2.14.0

A global coding-discipline spec for Codex, enforced by native Codex hooks + a rule-hit telemetry closed loop. Independent of oh-my-codex.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 44 file(s), 361 KB of source, external domains: github.com

Source & flagged code

6 flagged · loading source
hooks/tests/smoke.shView file
386patternName = aws_access_key severity = critical line = 386 matchedText = printf '...2>&1
Critical
Critical Secret

Package contains a critical-looking secret pattern.

hooks/tests/smoke.shView on unpkg · L386
386patternName = aws_access_key severity = critical line = 386 matchedText = printf '...2>&1
Critical
Secret Pattern

AWS access key ID in hooks/tests/smoke.sh

hooks/tests/smoke.shView on unpkg · L386
path = hooks/tests/smoke.sh kind = payload_in_excluded_dir sizeBytes = 40980 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

hooks/tests/smoke.shView on unpkg
bin/agentsmd.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @sdsrs/agentsmd@2.13.0 matchedIdentity = npm:QHNkc3JzL2FnZW50c21k:2.13.0 similarity = 0.882 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/agentsmd.jsView on unpkg
9L10: const path = require('path'); L11: const cp = require('child_process');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/agentsmd.jsView on unpkg · L9
install.shView file
path = install.sh kind = build_helper sizeBytes = 6889 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg

Findings

2 Critical2 High4 Medium4 Low
CriticalCritical Secrethooks/tests/smoke.sh
CriticalSecret Patternhooks/tests/smoke.sh
HighPayload In Excluded Dirhooks/tests/smoke.sh
HighPrevious Version Dangerous Deltabin/agentsmd.js
MediumDynamic Requirebin/agentsmd.js
MediumEnvironment Vars
MediumShips Build Helperinstall.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings