registry  /  groundwork-method  /  0.13.0

groundwork-method@0.13.0

An installable delivery system for AI-driven software development: facilitated discovery to canonical docs, generators to a booted monorepo, and a contract-gated bet delivery loop.

Static Scan Results

scanned 2d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 111 file(s), 671 KB of source, external domains: 10.0.0.5, attacker.example, core.test, docs.astral.sh, example.com, golangci-lint.run

Source & flagged code

5 flagged · loading source
bin/groundwork.jsView file
6const readline = require('readline'); L7: const { execSync, execFileSync } = require('child_process'); L8:
High
Child Process

Package source references child process execution.

bin/groundwork.jsView on unpkg · L6
src/generators/workspace-dev-cli/cli-src/src/util/proc.tsView file
29export function sh(command: string, opts: SpawnSyncOptions = {}): RunResult { L30: const r = spawnSync(command, { shell: true, encoding: 'utf8', ...opts }); L31: return {
High
Shell

Package source references shell execution.

src/generators/workspace-dev-cli/cli-src/src/util/proc.tsView on unpkg · L29
migrations/_template/cli-migration.jsView file
9L10: const fs = require('fs'); L11: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

migrations/_template/cli-migration.jsView on unpkg · L9
dist/src/generators/nextjs-app/generator.jsView file
284return () => { L285: const { execSync } = require('child_process'); L286: try { ... L289: catch (e) { L290: console.warn(`Failed to run pnpm install in ${projectRoot}. Run it manually.`); L291: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/generators/nextjs-app/generator.jsView on unpkg · L284
lib/repo-map/grammars/tree-sitter-go.wasmView file
path = lib/repo-map/grammars/tree-sitter-go.wasm kind = wasm_module sizeBytes = 218901 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

lib/repo-map/grammars/tree-sitter-go.wasmView on unpkg

Findings

3 High5 Medium5 Low
HighChild Processbin/groundwork.js
HighShellsrc/generators/workspace-dev-cli/cli-src/src/util/proc.ts
HighRuntime Package Installdist/src/generators/nextjs-app/generator.js
MediumDynamic Requiremigrations/_template/cli-migration.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Modulelib/repo-map/grammars/tree-sitter-go.wasm
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings