registry  /  harness-aim-mcp  /  1.0.47

harness-aim-mcp@1.0.47

AIM — AI Maestro for the Harness platform. Your personal Harness Architect, powered by the Harness Adoption MCP server.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis completed at 65.0% confidence. No malicious behavior was detected; 14 low-signal pattern(s) were surfaced and cleared.

Static reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 332 file(s), 3.04 MB of source, external domains: 127.0.0.1, api.elevenlabs.io, api.openai.com, app.harness.io, cdn.jsdelivr.net, developer.harness.io, fonts.googleapis.com, fonts.gstatic.com, harness.io, mermaid.js.org, texttospeech.googleapis.com, www.w3.org, your-tenant.atlassian.net

Source & flagged code

3 flagged · loading source
build/tools/harness-ccm-showcase.jsView file
13import * as path from "node:path"; L14: import { spawn } from "node:child_process"; L15: import { resolve, dirname } from "node:path";
High
Child Process

Package source references child process execution.

build/tools/harness-ccm-showcase.jsView on unpkg · L13
build/report-renderer/index.jsView file
30*/ L31: const REPORT_API_KEY = process.env.REPORT_API_KEY?.trim() || undefined; L32: function requireReportApiKey(req, res, next) { ... L40: if (token !== REPORT_API_KEY) { L41: res.status(401).json({ error: "Unauthorized — set Authorization: Bearer <REPORT_API_KEY>" }); L42: return; ... L67: try { L68: const oldPath = path.resolve(process.cwd(), "aim-pdf-out", "report-registry.json"); L69: if (fs.existsSync(oldPath) && !fs.existsSync(REGISTRY_PERSIST_PATH)) { ... L248: throw new Error(`Failed to load theme template from ${templatePath}: ${String(err)}. ` + L249: `If this is an external pack, ensure a package.json with { "type": "module" } ` + L250: `exists in the pack directory.`);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

build/report-renderer/index.jsView on unpkg · L30
build/tools/reports/harness-adoption-reports-render.jsView file
9* L10: * When HARNESS_AIM_REPORTS_URL is set (e.g. "http://localhost:4321"), this L11: * tool does NOT register the report itself. Instead it validates the file and ... L18: import * as path from "node:path"; L19: import { spawn } from "node:child_process"; L20: import matter from "gray-matter"; ... L23: /** URL of the aim-reports server when running as a separate process. */ L24: const AIM_REPORTS_URL = process.env.HARNESS_AIM_REPORTS_URL?.replace(/\/$/, "") || undefined; L25: // Theme IDs are discovered at runtime from the themes directory (and any
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

build/tools/reports/harness-adoption-reports-render.jsView on unpkg · L9

Findings

3 High3 Medium8 Low
HighChild Processbuild/tools/harness-ccm-showcase.js
HighShell
HighSame File Env Network Executionbuild/tools/reports/harness-adoption-reports-render.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowWeak Cryptobuild/report-renderer/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings