registry  /  imhcode  /  1.0.9

imhcode@1.0.9

⚠ Under review

IMH-Code — Imam Hussain Coding Harness Platform. A fast-first multi-agent AI coding framework with intelligent model routing. 19 generic role-based agents (planner, nextjs-executor, laravel-executor, etc.), configurable testing strategy, and 7 token-savin

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 28 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 57 file(s), 426 KB of source, external domains: api.github.com, example.com, fonts.google.com, github.com, raw.githubusercontent.com, www.typeui.sh

Source & flagged code

22 flagged · loading source
skills/typeui-main/src/prompts/designSystem.tsView file
18async function loadInquirer(): Promise<InquirerModule["default"]> { L19: const dynamicImport = new Function( L20: "specifier",
Low
Eval

Package source references a known benign dynamic code generation pattern.

skills/typeui-main/src/prompts/designSystem.tsView on unpkg · L18
bin/imhcode.jsView file
24const path = require('path'); L25: const { execSync, spawnSync } = require('child_process'); L26: const os = require('os'); ... L36: const CONFIG_FILE = path.join(LOCAL_DIR_NAME, 'imhcode.config.json'); L37: const GLOBAL_DIR = path.join(os.homedir(), '.imhcode'); L38: const START_MD = path.join(DOCS_DIR, 'start.md'); ... L49: if (command === '--version' || command === '-v') { L50: const pkg = require(path.join(__dirname, '..', 'package.json')); L51: console.log(`${CLI_CMD} version: ${pkg.version}`); ... L483: # 3. Run development server L484: ${stack.includes('Next.js') ? 'cd frontend && npm run dev # → http://localhost:3000' : ''} L485: ${stack.includes('Vue 3 / Nuxt 4') ? 'cd frontend && npm run dev # → http://localhost:3000' : ''}
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

bin/imhcode.jsView on unpkg · L24
24Trigger-reachable chain: manifest.bin -> bin/imhcode.js L24: const path = require('path'); L25: const { execSync, spawnSync } = require('child_process'); L26: const os = require('os'); ... L36: const CONFIG_FILE = path.join(LOCAL_DIR_NAME, 'imhcode.config.json'); L37: const GLOBAL_DIR = path.join(os.homedir(), '.imhcode'); L38: const START_MD = path.join(DOCS_DIR, 'start.md'); ... L49: if (command === '--version' || command === '-v') { L50: const pkg = require(path.join(__dirname, '..', 'package.json')); L51: console.log(`${CLI_CMD} version: ${pkg.version}`); ... L483: # 3. Run development server L484: ${stack.includes('Next.js') ? 'cd frontend && npm run dev # → http://localhost:3000' : ''} L485: ${stack.includes('Vue 3 / Nuxt 4') ? 'cd frontend && npm run dev # → http://localhost:3000' : ''}
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/imhcode.jsView on unpkg · L24
matchType = previous_version_dangerous_delta matchedPackage = imhcode@1.0.0 matchedIdentity = npm:aW1oY29kZQ:1.0.0 similarity = 0.877 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/imhcode.jsView on unpkg
24Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: sensitive-file+network, execution+network L24: const path = require('path'); L25: const { execSync, spawnSync } = require('child_process'); L26: const os = require('os'); ... L36: const CONFIG_FILE = path.join(LOCAL_DIR_NAME, 'imhcode.config.json'); L37: const GLOBAL_DIR = path.join(os.homedir(), '.imhcode'); L38: const START_MD = path.join(DOCS_DIR, 'start.md'); ... L49: if (command === '--version' || command === '-v') { L50: const pkg = require(path.join(__dirname, '..', 'package.json')); L51: console.log(`${CLI_CMD} version: ${pkg.version}`); ... L483: # 3. Run development server L484: ${stack.includes('Next.js') ? 'cd frontend && npm run dev # → http://localhost:3000' : ''} L485: ${stack.includes('Vue 3 / Nuxt 4') ? 'cd frontend && npm run dev # → http://localhost:3000' : ''}
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bin/imhcode.jsView on unpkg · L24
22L23: const fs = require('fs'); L24: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/imhcode.jsView on unpkg · L22
skills/ui-ux-pro-max/.claude/skills/design/scripts/cip/generate.pyView file
path = skills/ui-ux-pro-max/.[redacted].py kind = payload_in_excluded_dir sizeBytes = 19430 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

skills/ui-ux-pro-max/.claude/skills/design/scripts/cip/generate.pyView on unpkg
path = skills/ui-ux-pro-max/.[redacted].py kind = build_helper sizeBytes = 19430 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/ui-ux-pro-max/.claude/skills/design/scripts/cip/generate.pyView on unpkg
skills/theme-factory/theme-showcase.pdfView file
path = skills/theme-factory/theme-showcase.pdf kind = high_entropy_blob sizeBytes = 124310 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

skills/theme-factory/theme-showcase.pdfView on unpkg
skills/graphify/skill-windows.mdView file
681patternName = generic_password severity = medium line = 681 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-windows.md

skills/graphify/skill-windows.mdView on unpkg · L681
skills/graphify/skill-trae.mdView file
592patternName = generic_password severity = medium line = 592 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-trae.md

skills/graphify/skill-trae.mdView on unpkg · L592
skills/graphify/skill-pi.mdView file
543patternName = generic_password severity = medium line = 543 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-pi.md

skills/graphify/skill-pi.mdView on unpkg · L543
skills/graphify/skill-codex.mdView file
605patternName = generic_password severity = medium line = 605 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-codex.md

skills/graphify/skill-codex.mdView on unpkg · L605
skills/graphify/skill-kiro.mdView file
543patternName = generic_password severity = medium line = 543 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-kiro.md

skills/graphify/skill-kiro.mdView on unpkg · L543
skills/graphify/skill-copilot.mdView file
603patternName = generic_password severity = medium line = 603 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-copilot.md

skills/graphify/skill-copilot.mdView on unpkg · L603
skills/graphify/skill-opencode.mdView file
655patternName = generic_password severity = medium line = 655 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-opencode.md

skills/graphify/skill-opencode.mdView on unpkg · L655
skills/graphify/skill-aider.mdView file
544patternName = generic_password severity = medium line = 544 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-aider.md

skills/graphify/skill-aider.mdView on unpkg · L544
skills/graphify/skill-claw.mdView file
544patternName = generic_password severity = medium line = 544 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-claw.md

skills/graphify/skill-claw.mdView on unpkg · L544
skills/graphify/skill-droid.mdView file
600patternName = generic_password severity = medium line = 600 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-droid.md

skills/graphify/skill-droid.mdView on unpkg · L600
skills/django-tdd/SKILL.mdView file
25patternName = generic_password severity = medium line = 25 matchedText = user = U...23')
Medium
Secret Pattern

Hardcoded password in skills/django-tdd/SKILL.md

skills/django-tdd/SKILL.mdView on unpkg · L25
117patternName = generic_password severity = medium line = 117 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in skills/django-tdd/SKILL.md

skills/django-tdd/SKILL.mdView on unpkg · L117
126patternName = generic_password severity = medium line = 126 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in skills/django-tdd/SKILL.md

skills/django-tdd/SKILL.mdView on unpkg · L126

Findings

3 Critical3 High17 Medium5 Low
CriticalPersistence Backdoorbin/imhcode.js
CriticalTrigger Reachable Dangerous Capabilitybin/imhcode.js
CriticalPrevious Version Dangerous Deltabin/imhcode.js
HighEntrypoint Build Divergencebin/imhcode.js
HighShips High Entropy Blobskills/theme-factory/theme-showcase.pdf
HighPayload In Excluded Dirskills/ui-ux-pro-max/.claude/skills/design/scripts/cip/generate.py
MediumDynamic Requirebin/imhcode.js
MediumNetwork
MediumShips Build Helperskills/ui-ux-pro-max/.claude/skills/design/scripts/cip/generate.py
MediumStructural Risk Force Deep Review
MediumSecret Patternskills/graphify/skill-windows.md
MediumSecret Patternskills/graphify/skill-trae.md
MediumSecret Patternskills/graphify/skill-pi.md
MediumSecret Patternskills/graphify/skill-codex.md
MediumSecret Patternskills/graphify/skill-kiro.md
MediumSecret Patternskills/graphify/skill-copilot.md
MediumSecret Patternskills/graphify/skill-opencode.md
MediumSecret Patternskills/graphify/skill-aider.md
MediumSecret Patternskills/graphify/skill-claw.md
MediumSecret Patternskills/graphify/skill-droid.md
MediumSecret Patternskills/django-tdd/SKILL.md
MediumSecret Patternskills/django-tdd/SKILL.md
MediumSecret Patternskills/django-tdd/SKILL.md
LowScripts Present
LowEvalskills/typeui-main/src/prompts/designSystem.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings