registry  /  claude-dev-env  /  1.82.0

claude-dev-env@1.82.0

⚠ Under review

Claude Code development standards — rules, hooks, agents, commands, and skills

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 10 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 39 file(s), 378 KB of source, external domains: github.com

Source & flagged code

5 flagged · loading source
hooks/validators/test_security_checks.pyView file
28patternName = generic_password severity = medium line = 28 matchedText = password...123"
Medium
Secret Pattern

Package contains a possible secret pattern.

hooks/validators/test_security_checks.pyView on unpkg · L28
skills/autoconverge/workflow/converge_multi.run-input.test.mjsView file
17L18: const productionModule = new Function( L19: `${sourceSliceBetween('function normalizeMultiInput(', '\nconst multiInput =')}\n` +
Low
Eval

Package source references a known benign dynamic code generation pattern.

skills/autoconverge/workflow/converge_multi.run-input.test.mjsView on unpkg · L17
hooks/git-hooks/pre_commit.pyView file
path = hooks/git-hooks/pre_commit.py kind = build_helper sizeBytes = 2045 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

hooks/git-hooks/pre_commit.pyView on unpkg
scripts/tests/test_sync_to_cursor.pyView file
path = scripts/tests/test_sync_to_cursor.py kind = payload_in_excluded_dir sizeBytes = 13986 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

scripts/tests/test_sync_to_cursor.pyView on unpkg
skills/autoconverge/workflow/converge.contract.test.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = claude-dev-env@1.80.0 matchedIdentity = npm:Y2xhdWRlLWRldi1lbnY:1.80.0 similarity = 0.846 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

skills/autoconverge/workflow/converge.contract.test.mjsView on unpkg

Findings

1 Critical1 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltaskills/autoconverge/workflow/converge.contract.test.mjs
HighPayload In Excluded Dirscripts/tests/test_sync_to_cursor.py
MediumSecret Patternhooks/validators/test_security_checks.py
MediumShips Build Helperhooks/git-hooks/pre_commit.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalskills/autoconverge/workflow/converge_multi.run-input.test.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings