registry  /  @tekyzinc/gsd-t  /  4.16.10

@tekyzinc/gsd-t@4.16.10

GSD-T: Contract-Driven Development for Claude Code — 54 slash commands with headless-by-default workflow spawning, unattended supervisor relay with event stream, graph-powered code analysis, real-time agent dashboard, task telemetry, doc-ripple enforcemen

Static Scan Results

scanned 7d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 132 file(s), 1.79 MB of source, external domains: 127.0.0.1, console.anthropic.com, github.com, mcp.figma.com, mermaid.js.org, pandoc.org, registry.npmjs.org

Source & flagged code

6 flagged · loading source
bin/gsd-t-ci-parity.cjsView file
38const path = require('path'); L39: const child_process = require('child_process'); L40:
High
Child Process

Package source references child process execution.

bin/gsd-t-ci-parity.cjsView on unpkg · L38
bin/gsd-t-test-data-ledger.cjsView file
11L12: const fs = require('node:fs'); L13: const path = require('node:path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/gsd-t-test-data-ledger.cjsView on unpkg · L11
scripts/gsd-t-stream-feed-server.jsView file
6* persists every frame to .gsd-t/stream-feed/YYYY-MM-DD.jsonl (persist-before-broadcast), L7: * rotates daily at UTC midnight, broadcasts over WebSocket at /feed (with ?from=N replay), L8: * enforces 127.0.0.1-only, kicks backpressured clients after 1000-frame buffer. ... L26: function createStreamFeedServer(opts = {}) { L27: const projectDir = opts.projectDir || process.cwd(); L28: const port = Number(opts.port || process.env.GSD_T_STREAM_FEED_PORT || DEFAULT_PORT); L29: const feedDir = path.join(projectDir, '.gsd-t', 'stream-feed'); ... L51: if (d === currentDate) return; L52: try { writeStream.end(); } catch { /* noop */ } L53: currentDate = d; ... L68: } catch (e) { L69: process.stderr.write(`[stream-feed-server] persist failed: ${e.message}\n`);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

scripts/gsd-t-stream-feed-server.jsView on unpkg · L6
bin/gsd-t.jsView file
6* Usage: L7: * npx @tekyzinc/gsd-t install — Install commands + global CLAUDE.md L8: * npx @tekyzinc/gsd-t update — Update commands + global CLAUDE.md (preserves customizations) ... L21: const readline = require("readline"); L22: const { execFileSync, spawn: cpSpawn } = require("child_process"); L23: let debugLedger;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/gsd-t.jsView on unpkg · L6
scripts/statusline-command.shView file
path = scripts/statusline-command.sh kind = build_helper sizeBytes = 4459 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/statusline-command.shView on unpkg
templates/stacks/node-api.mdView file
118patternName = generic_password severity = medium line = 118 matchedText = **BAD:**... })`
Medium
Secret Pattern

Hardcoded password in templates/stacks/node-api.md

templates/stacks/node-api.mdView on unpkg · L118

Findings

3 High6 Medium6 Low
HighChild Processbin/gsd-t-ci-parity.cjs
HighShell
HighRuntime Package Installbin/gsd-t.js
MediumDynamic Requirebin/gsd-t-test-data-ledger.cjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/statusline-command.sh
MediumStructural Risk Force Deep Review
MediumSecret Patterntemplates/stacks/node-api.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptoscripts/gsd-t-stream-feed-server.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings