registry  /  cdsa-harness  /  0.22.2

cdsa-harness@0.22.2

AI 에이전트의 내부 동작을 단계별로 드러내는 교육용 터미널 하네스. 실시간 스트리밍 + OpenAI/Claude/OpenRouter + MCP + npm 플러그인·크로스포맷 스킬.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 183 KB of source, external domains: api.anthropic.com, api.openai.com, github.com, openrouter.ai, registry.npmjs.org

Source & flagged code

3 flagged · loading source
src/tools.jsView file
2// LLM 은 생각만 하고, 실제 파일 조작/명령 실행은 전부 여기서 이뤄진다. L3: import { execSync } from "node:child_process"; L4: import fs from "node:fs";
High
Child Process

Package source references child process execution.

src/tools.jsView on unpkg · L2
src/plugins.jsView file
40try { L41: const mod = await import(pathToFileURL(full).href); L42: const def = mod.default || mod.plugin || mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/plugins.jsView on unpkg · L40
src/cli.jsView file
656} L657: console.log(c.cyan(`npm install ${pkgs.join(" ")} ...`)); L658: try { L659: execFileSync("npm", ["install", ...pkgs], { stdio: "inherit", cwd: process.cwd() }); L660: console.log(c.green("설치 완료. 다음 실행부터 플러그인이 자동으로 로드됩니다 (/plugins 로 확인)."));
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/cli.jsView on unpkg · L656

Findings

3 High4 Medium4 Low
HighChild Processsrc/tools.js
HighShell
HighRuntime Package Installsrc/cli.js
MediumDynamic Requiresrc/plugins.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings