registry  /  claude-dev-env  /  1.93.1

claude-dev-env@1.93.1

Claude Code development standards — rules, hooks, agents, commands, and skills

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEvalFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 41 file(s), 502 KB of source, external domains: github.com

Source & flagged code

7 flagged · loading source
hooks/blocking/test_pii_scanner.pyView file
24patternName = private_key_rsa severity = critical line = 24 matchedText = SYNTHETI...---"
Critical
Critical Secret

Package contains a critical-looking secret pattern.

hooks/blocking/test_pii_scanner.pyView on unpkg · L24
24patternName = private_key_rsa severity = critical line = 24 matchedText = SYNTHETI...---"
Critical
Secret Pattern

RSA private key in hooks/blocking/test_pii_scanner.py

hooks/blocking/test_pii_scanner.pyView on unpkg · L24
skills/autoconverge/workflow/converge_multi.run-input.test.mjsView file
17L18: const productionModule = new Function( L19: `${sourceSliceBetween('function normalizeMultiInput(', '\nconst multiInput =')}\n` +
Low
Eval

Package source references a known benign dynamic code generation pattern.

skills/autoconverge/workflow/converge_multi.run-input.test.mjsView on unpkg · L17
agents/test_agent_frontmatter.pyView file
path = agents/test_agent_frontmatter.py kind = build_helper sizeBytes = 2871 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

agents/test_agent_frontmatter.pyView on unpkg
scripts/tests/test_sync_to_cursor.pyView file
path = scripts/tests/test_sync_to_cursor.py kind = payload_in_excluded_dir sizeBytes = 13986 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

scripts/tests/test_sync_to_cursor.pyView on unpkg
bin/install.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = claude-dev-env@1.92.1 matchedIdentity = npm:Y2xhdWRlLWRldi1lbnY:1.92.1 similarity = 0.846 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/install.mjsView on unpkg
hooks/validators/test_security_checks.pyView file
28patternName = generic_password severity = medium line = 28 matchedText = password...123"
Medium
Secret Pattern

Hardcoded password in hooks/validators/test_security_checks.py

hooks/validators/test_security_checks.pyView on unpkg · L28

Findings

2 Critical2 High3 Medium5 Low
CriticalCritical Secrethooks/blocking/test_pii_scanner.py
CriticalSecret Patternhooks/blocking/test_pii_scanner.py
HighPayload In Excluded Dirscripts/tests/test_sync_to_cursor.py
HighPrevious Version Dangerous Deltabin/install.mjs
MediumShips Build Helperagents/test_agent_frontmatter.py
MediumStructural Risk Force Deep Review
MediumSecret Patternhooks/validators/test_security_checks.py
LowScripts Present
LowEvalskills/autoconverge/workflow/converge_multi.run-input.test.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings