registry  /  harnessed  /  4.27.0

harnessed@4.27.0

AI coding harness package manager + composition orchestrator

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 516 KB of source, external domains: api.github.com, bun.sh, git-scm.com, github.com, harnessed.dev

Source & flagged code

4 flagged · loading source
dist/cli.mjsView file
11import * as ajvFormatsNs from 'ajv-formats'; L12: import { execFileSync, spawnSync, spawn, exec, execSync, execFile } from 'child_process'; L13: import { pathToFileURL, fileURLToPath } from 'url'; ... L21: import { Command } from 'commander'; L22: import { stdout, stdin } from 'process'; L23: import * as readline from 'readline/promises'; ... L34: L35: // package.json L36: var package_default; ... L47: type: "git", L48: url: "https://github.com/easyinplay/harnessed.git" L49: },
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.mjsView on unpkg · L11
matchType = previous_version_dangerous_delta matchedPackage = harnessed@4.26.0 matchedIdentity = npm:aGFybmVzc2Vk:4.26.0 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.mjsView on unpkg
4032if (!process.stdin.isTTY) return; L4033: const readline2 = await import('readline/promises'); L4034: const rl = readline2.createInterface({ input: process.stdin, output: process.stdout });
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.mjsView on unpkg · L4032
11import * as ajvFormatsNs from 'ajv-formats'; L12: import { execFileSync, spawnSync, spawn, exec, execSync, execFile } from 'child_process'; L13: import { pathToFileURL, fileURLToPath } from 'url'; ... L21: import { Command } from 'commander'; L22: import { stdout, stdin } from 'process'; L23: import * as readline from 'readline/promises'; ... L34: L35: // package.json L36: var package_default; ... L47: type: "git", L48: url: "https://github.com/easyinplay/harnessed.git" L49: },
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/cli.mjsView on unpkg · L11

Findings

2 High4 Medium6 Low
HighSandbox Evasion Gated Capabilitydist/cli.mjs
HighPrevious Version Dangerous Deltadist/cli.mjs
MediumDynamic Requiredist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak Cryptodist/cli.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings