registry  /  leerness  /  1.36.31

leerness@1.36.31

⚠ Under review

The AI-coding operations layer that makes "done" require evidence — persistent memory, evidence-gated completion checks, and clean handoffs for any AI agent (Claude Code, Codex, Cursor). State lives as plain files in your repo. CLI + MCP, 0 runtime depend

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 39 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 2.35 MB of source, external domains: 127.0.0.1, 192.168.68.89, agentskills.io, aider.chat, antigravity.google.com, api.github.com, block.github.io, console.anthropic.com, developer.twitter.com, discord.com, docs.anthropic.com, docs.github.com, example.com, github.com, h.com, img.shields.io, leerness.pages.dev, o.com, ollama.com, open-meteo.com, opencode.ai, other.com, platform.openai.com, raw.githubusercontent.com, stripe.com, www.npmjs.com, www.w3.org, x.com

Source & flagged code

32 flagged · loading source
bin/leerness.jsView file
3333patternName = aws_access_key severity = critical line = 3333 matchedText = const fn...b');
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bin/leerness.jsView on unpkg · L3333
matchType = previous_version_dangerous_delta matchedPackage = leerness@1.35.10 matchedIdentity = npm:bGVlcm5lc3M:1.35.10 similarity = 0.476 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/leerness.jsView on unpkg
3333patternName = aws_access_key severity = critical line = 3333 matchedText = const fn...b');
Critical
Secret Pattern

AWS access key ID in bin/leerness.js

bin/leerness.jsView on unpkg · L3333
3739patternName = aws_access_key severity = critical line = 3739 matchedText = const be...lse;
Critical
Secret Pattern

AWS access key ID in bin/leerness.js

bin/leerness.jsView on unpkg · L3739
3849patternName = aws_access_key severity = critical line = 3849 matchedText = return f...true
Critical
Secret Pattern

AWS access key ID in bin/leerness.js

bin/leerness.jsView on unpkg · L3849
3852patternName = aws_access_key severity = critical line = 3852 matchedText = && f('AK...alse
Critical
Secret Pattern

AWS access key ID in bin/leerness.js

bin/leerness.jsView on unpkg · L3852
5const path = require('path'); L6: const cp = require('child_process'); L7: const { log, ok, warn, fail, failJson, setQuiet, today, now, absRoot, exists, read, readBuf, mkdirp, writeUtf8, append, rel } = require('../lib/io'); // 1.9.382/383 (UR-0025): 출력/...
High
Child Process

Package source references child process execution.

bin/leerness.jsView on unpkg · L5
51try { L52: const r = cp.spawnSync('chcp.com', [], { encoding: 'utf8', timeout: 2000, shell: true }); L53: const out = (r.stdout || '') + (r.stderr || '');
High
Shell

Package source references shell execution.

bin/leerness.jsView on unpkg · L51
3339{ name: 'MCP notification 준수: id없는 요청 무응답 가드 + ping {} (UR-0049 설치리뷰 1.9.313)', run: () => { const src = read(__filename); const guard = src.includes("const isNotification = !('id'... L3340: { name: 'PowerShell 감지: pwsh7(channel/Documents\\PowerShell/install) + ps5.1 영구경로 과경고 안함 (UR-0052 설치리뷰 1.9.314)', run: () => { const f = _detectPwshFromEnv; const pwsh7a = f({ POWE... L3341: { name: 'doc/surface 정합: doctor 명령 + stale MCP 카운트 동적화(commands/banner) (UR-0054 설치리뷰 1.9.315)', run: () => { const src = read(__filename); const doctorOk = typeof doctorCmd === 'f... L3342: { name: 'drift 마커 버그: session-handoff 프론트매터는 ^--- 일 때만 + drift 최신 Last generated (1.9.316)', run: () => { const src = read(__filename); const scSrc = read(path.join(path.dirname(__... L3343: { name: '텔레메트리 분리: 내부 auto-call(LEERNESS_INTERNAL) usage 집계 제외 + 주요 spawn 마킹 (UR-0051 설치리뷰 1.9.317)', run: () => { const src = read(__filename); const guard = src.includes("process... L3344: { name: 'lib/pure-utils: HTML 파싱 유틸 3종 모듈 분리 + 동작 + 인라인 제거 (UR-0025 1.9.318)', run: () => { const m = require('../lib/pure-utils'); const fnOk = typeof m._htmlToText === 'function'...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/leerness.jsView on unpkg · L3339
5Cross-file remote execution chain: bin/leerness.js spawns scripts/e2e.js; helper contains network access plus dynamic code execution. L5: const path = require('path'); L6: const cp = require('child_process'); L7: const { log, ok, warn, fail, failJson, setQuiet, today, now, absRoot, exists, read, readBuf, mkdirp, writeUtf8, append, rel } = require('../lib/io'); // 1.9.382/383 (UR-0025): 출력/... ... L41: // 해결: 부작용을 _cliBootstrap() 으로 묶고 파일 끝 require.main 가드에서만 호출. import/단위테스트는 부작용 0. L42: // 1.9.249 (UR-0018): 터미널 출력 한국어 깨짐 사전 방지 (stdout UTF-8 + Windows 비-65001 시 chcp 65001 자동, opt-out LEERNESS_NO_AUTOCHCP=1). L43: function _ensureStdoutEncoding() { ... L47: } catch {} L48: if (process.platform !== 'win32') return; L49: if (process.env.LEERNESS_NO_AUTOCHCP === '1') return; L50: if (process.env._LEERNESS_CHCP_DONE === '1') return; // 자식 spawn 무한 재호출 방지 ... L71: if (w && (w.code === 'DEP0190' || /DEP0190/.test(String(w.message || '')))) return; L72: process.stderr.write(`(node:${process.pid}) ${w.name || 'Warning'}: ${w.message || w}\n`);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/leerness.jsView on unpkg · L5
2709log(` 🖥 Hardware: ${env.hardware.cpus} CPUs · ${env.hardware.memGB} GB RAM`); L2710: log(` 🖱 Terminal: TTY=${env.terminal.isTTY}${env.terminal.powershell ? ` · PowerShell v${env.terminal.powershell}` : ''}`); L2711: log(` 🔧 Tools:`); ... L2721: // 1.9.254: leerness CLI PATH 자동 등록 (사용자 명시 UR-0019) L2722: // 배경: `npm i -g leerness` 했는데 npm global bin 이 PATH 에 없으면 `leerness` 명령이 안 먹힘. L2723: // 해결: global bin 경로 감지 + PATH 포함 여부 확인 → 미등록 시 플랫폼별 안전 등록 (opt-in --apply).
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/leerness.jsView on unpkg · L2709
3L4: const fs = require('fs'); L5: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/leerness.jsView on unpkg · L3
3095const js = html.slice(html.indexOf(o) + o.length, html.lastIndexOf(c)); L3096: let synOk = false; try { new Function(js); synOk = true; } catch {} L3097: htmlOk = html.includes('data-v="roadmap"') && html.includes('data-v="toggles"') && html.includes('toggleRegistry') && synOk;
Low
Eval

Package source references a known benign dynamic code generation pattern.

bin/leerness.jsView on unpkg · L3095
CHANGELOG.mdView file
646patternName = aws_access_key severity = critical line = 646 matchedText = - **FN-g...귀 0.
Critical
Secret Pattern

AWS access key ID in CHANGELOG.md

CHANGELOG.mdView on unpkg · L646
2178patternName = aws_access_key severity = critical line = 2178 matchedText = - `_isPl... 차단.
Critical
Secret Pattern

AWS access key ID in CHANGELOG.md

CHANGELOG.mdView on unpkg · L2178
2378patternName = aws_access_key severity = critical line = 2378 matchedText = **🔑 `AKI...드.**
Critical
Secret Pattern

AWS access key ID in CHANGELOG.md

CHANGELOG.mdView on unpkg · L2378
scripts/e2e-core.jsView file
51patternName = aws_access_key severity = critical line = 51 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e-core.js

scripts/e2e-core.jsView on unpkg · L51
75patternName = aws_access_key severity = critical line = 75 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e-core.js

scripts/e2e-core.jsView on unpkg · L75
scripts/e2e.jsView file
4452patternName = aws_access_key severity = critical line = 4452 matchedText = fs.write...8');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L4452
5002patternName = npm_token severity = critical line = 5002 matchedText = fs.write...n');
Critical
Secret Pattern

npm access token in scripts/e2e.js

scripts/e2e.jsView on unpkg · L5002
5421patternName = npm_token severity = critical line = 5421 matchedText = fs.write...n');
Critical
Secret Pattern

npm access token in scripts/e2e.js

scripts/e2e.jsView on unpkg · L5421
5979patternName = github_pat severity = critical line = 5979 matchedText = fs.write...;');
Critical
Secret Pattern

GitHub personal access token in scripts/e2e.js

scripts/e2e.jsView on unpkg · L5979
6130patternName = github_pat severity = critical line = 6130 matchedText = fs.write...n');
Critical
Secret Pattern

GitHub personal access token in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6130
6130patternName = aws_access_key severity = critical line = 6130 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6130
6137patternName = aws_access_key severity = critical line = 6137 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6137
6144patternName = github_pat severity = critical line = 6144 matchedText = fs.write...n');
Critical
Secret Pattern

GitHub personal access token in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6144
6144patternName = aws_access_key severity = critical line = 6144 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6144
6150patternName = aws_access_key severity = critical line = 6150 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6150
6559patternName = aws_access_key severity = critical line = 6559 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6559
6639patternName = aws_access_key severity = critical line = 6639 matchedText = fs.write...;');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6639
6860patternName = private_key_rsa severity = critical line = 6860 matchedText = fs.write...n');
Critical
Secret Pattern

RSA private key in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6860
lib/pure-utils.jsView file
705patternName = aws_access_key severity = critical line = 705 matchedText = // 1.10....E 등.
Critical
Secret Pattern

AWS access key ID in lib/pure-utils.js

lib/pure-utils.jsView on unpkg · L705

Findings

25 Critical5 High4 Medium5 Low
CriticalCritical Secretbin/leerness.js
CriticalPrevious Version Dangerous Deltabin/leerness.js
CriticalSecret Patternbin/leerness.js
CriticalSecret Patternbin/leerness.js
CriticalSecret Patternbin/leerness.js
CriticalSecret Patternbin/leerness.js
CriticalSecret PatternCHANGELOG.md
CriticalSecret PatternCHANGELOG.md
CriticalSecret PatternCHANGELOG.md
CriticalSecret Patternscripts/e2e-core.js
CriticalSecret Patternscripts/e2e-core.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternlib/pure-utils.js
HighChild Processbin/leerness.js
HighShellbin/leerness.js
HighSame File Env Network Executionbin/leerness.js
HighCross File Remote Execution Contextbin/leerness.js
HighRuntime Package Installbin/leerness.js
MediumDynamic Requirebin/leerness.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalbin/leerness.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings