registry  /  leerness  /  1.35.7

leerness@1.35.7

Leerness: 비파괴 마이그레이션, 자동 버전 감지·업데이트, 계획/진행/핸드오프 자동화, 게으름·시크릿·인코딩 자동 가드, Claude Code 슬래시 통합을 갖춘 한국어 우선 AI 개발 하네스.

Static Scan Results

scanned 12d ago · by rust-scanner

Static analysis flagged 35 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 21 file(s), 2.15 MB of source, external domains: 127.0.0.1, 192.168.68.89, agentskills.io, aider.chat, antigravity.google.com, api.github.com, block.github.io, console.anthropic.com, developer.twitter.com, discord.com, docs.anthropic.com, docs.github.com, example.com, github.com, h.com, img.shields.io, leerness.pages.dev, o.com, ollama.com, open-meteo.com, opencode.ai, other.com, platform.openai.com, raw.githubusercontent.com, stripe.com, www.npmjs.com, www.w3.org, x.com

Source & flagged code

28 flagged · loading source
bin/leerness.jsView file
2921patternName = aws_access_key severity = critical line = 2921 matchedText = const fn...b');
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bin/leerness.jsView on unpkg · L2921
2921patternName = aws_access_key severity = critical line = 2921 matchedText = const fn...b');
Critical
Secret Pattern

AWS access key ID in bin/leerness.js

bin/leerness.jsView on unpkg · L2921
3309patternName = aws_access_key severity = critical line = 3309 matchedText = const be...lse;
Critical
Secret Pattern

AWS access key ID in bin/leerness.js

bin/leerness.jsView on unpkg · L3309
3419patternName = aws_access_key severity = critical line = 3419 matchedText = return f...true
Critical
Secret Pattern

AWS access key ID in bin/leerness.js

bin/leerness.jsView on unpkg · L3419
3422patternName = aws_access_key severity = critical line = 3422 matchedText = && f('AK...alse
Critical
Secret Pattern

AWS access key ID in bin/leerness.js

bin/leerness.jsView on unpkg · L3422
5const path = require('path'); L6: const cp = require('child_process'); L7: const { log, ok, warn, fail, failJson, setQuiet, today, now, absRoot, exists, read, readBuf, mkdirp, writeUtf8, append, rel } = require('../lib/io'); // 1.9.382/383 (UR-0025): 출력/...
High
Child Process

Package source references child process execution.

bin/leerness.jsView on unpkg · L5
49try { L50: const r = cp.spawnSync('chcp.com', [], { encoding: 'utf8', timeout: 2000, shell: true }); L51: const out = (r.stdout || '') + (r.stderr || '');
High
Shell

Package source references shell execution.

bin/leerness.jsView on unpkg · L49
2927{ name: 'MCP notification 준수: id없는 요청 무응답 가드 + ping {} (UR-0049 설치리뷰 1.9.313)', run: () => { const src = read(__filename); const guard = src.includes("const isNotification = !('id'... L2928: { name: 'PowerShell 감지: pwsh7(channel/Documents\\PowerShell/install) + ps5.1 영구경로 과경고 안함 (UR-0052 설치리뷰 1.9.314)', run: () => { const f = _detectPwshFromEnv; const pwsh7a = f({ POWE... L2929: { name: 'doc/surface 정합: doctor 명령 + stale MCP 카운트 동적화(commands/banner) (UR-0054 설치리뷰 1.9.315)', run: () => { const src = read(__filename); const doctorOk = typeof doctorCmd === 'f... L2930: { name: 'drift 마커 버그: session-handoff 프론트매터는 ^--- 일 때만 + drift 최신 Last generated (1.9.316)', run: () => { const src = read(__filename); const scSrc = read(path.join(path.dirname(__... L2931: { name: '텔레메트리 분리: 내부 auto-call(LEERNESS_INTERNAL) usage 집계 제외 + 주요 spawn 마킹 (UR-0051 설치리뷰 1.9.317)', run: () => { const src = read(__filename); const guard = src.includes("process... L2932: { name: 'lib/pure-utils: HTML 파싱 유틸 3종 모듈 분리 + 동작 + 인라인 제거 (UR-0025 1.9.318)', run: () => { const m = require('../lib/pure-utils'); const fnOk = typeof m._htmlToText === 'function'...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/leerness.jsView on unpkg · L2927
2640log(` 🖥 Hardware: ${env.hardware.cpus} CPUs · ${env.hardware.memGB} GB RAM`); L2641: log(` 🖱 Terminal: TTY=${env.terminal.isTTY}${env.terminal.powershell ? ` · PowerShell v${env.terminal.powershell}` : ''}`); L2642: log(` 🔧 Tools:`); ... L2652: // 1.9.254: leerness CLI PATH 자동 등록 (사용자 명시 UR-0019) L2653: // 배경: `npm i -g leerness` 했는데 npm global bin 이 PATH 에 없으면 `leerness` 명령이 안 먹힘. L2654: // 해결: global bin 경로 감지 + PATH 포함 여부 확인 → 미등록 시 플랫폼별 안전 등록 (opt-in --apply).
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/leerness.jsView on unpkg · L2640
3L4: const fs = require('fs'); L5: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/leerness.jsView on unpkg · L3
3013{ name: 'graph --html: 빈/미초기화 하네스 무크래시 + 유효 빈 HTML (1.35.0 방어가드)', run: () => { const m = require('../lib/graph'); let ok = false; const tmp = fs.mkdtempSync(path.join(os.tmpdir(),... L3014: { name: 'graph --html: 임베드 script JS 신택스 유효성(U+2028/정규식 리터럴 회귀 영구 차단, 1.35.2)', run: () => { const m = require('../lib/graph'); let ok = false; const tmp = fs.mkdtempSync(path.join... L3015: { name: '7번째 버그헌트 P1-A (UR-0104): 테이블셀 안전화 _cellSafe/_cellUnescape (파이프/개행 injection 차단) (1.9.399)', run: () => { const m = require('../lib/pure-utils'); if (m._cellSafe !== _cellS...
Low
Eval

Package source references a known benign dynamic code generation pattern.

bin/leerness.jsView on unpkg · L3013
scripts/e2e.jsView file
4452patternName = aws_access_key severity = critical line = 4452 matchedText = fs.write...8');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L4452
5002patternName = npm_token severity = critical line = 5002 matchedText = fs.write...n');
Critical
Secret Pattern

npm access token in scripts/e2e.js

scripts/e2e.jsView on unpkg · L5002
5421patternName = npm_token severity = critical line = 5421 matchedText = fs.write...n');
Critical
Secret Pattern

npm access token in scripts/e2e.js

scripts/e2e.jsView on unpkg · L5421
5940patternName = github_pat severity = critical line = 5940 matchedText = fs.write...;');
Critical
Secret Pattern

GitHub personal access token in scripts/e2e.js

scripts/e2e.jsView on unpkg · L5940
6057patternName = github_pat severity = critical line = 6057 matchedText = fs.write...n');
Critical
Secret Pattern

GitHub personal access token in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6057
6057patternName = aws_access_key severity = critical line = 6057 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6057
6064patternName = aws_access_key severity = critical line = 6064 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6064
6071patternName = github_pat severity = critical line = 6071 matchedText = fs.write...n');
Critical
Secret Pattern

GitHub personal access token in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6071
6071patternName = aws_access_key severity = critical line = 6071 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6071
6077patternName = aws_access_key severity = critical line = 6077 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6077
6541patternName = aws_access_key severity = critical line = 6541 matchedText = fs.write...;');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6541
6762patternName = private_key_rsa severity = critical line = 6762 matchedText = fs.write...n');
Critical
Secret Pattern

RSA private key in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6762
6Cross-file remote execution chain: scripts/e2e.js spawns bin/leerness.js; helper contains network access plus dynamic code execution. L6: const path = require('path'); L7: const cp = require('child_process'); L8: L9: // 1.9.12: e2e 안정성을 위해 자식 프로세스의 npm 호출 차단 (hang 방지) L10: process.env.LEERNESS_OFFLINE = process.env.LEERNESS_OFFLINE || '1'; L11: // 1.9.284 (UR-0029): e2e 속도 — 기본 roadmap.html(70KB HTML) 자동 생성 OFF (roadmap 전용 테스트 블록만 일시 ON). ... L13: process.env.LEERNESS_NO_AUTO_ROADMAP = '1'; L14: const CLI = path.resolve(__dirname, '..', 'bin', 'leerness.js'); L15: const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'leerness-e2e-')); ... L22: const ok = (r.status === 0) === !opts.expectFail; L23: process.stdout.write(`${ok ? '✓' : '✗'} ${label} (exit=${r.status})\n`); L24: if (!ok) { failed++; process.stdout.write(r.stdout || ''); process.stderr.write(r.stderr || ''); }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/e2e.jsView on unpkg · L6
CHANGELOG.mdView file
150patternName = aws_access_key severity = critical line = 150 matchedText = - **FN-g...귀 0.
Critical
Secret Pattern

AWS access key ID in CHANGELOG.md

CHANGELOG.mdView on unpkg · L150
1682patternName = aws_access_key severity = critical line = 1682 matchedText = - `_isPl... 차단.
Critical
Secret Pattern

AWS access key ID in CHANGELOG.md

CHANGELOG.mdView on unpkg · L1682
1882patternName = aws_access_key severity = critical line = 1882 matchedText = **🔑 `AKI...드.**
Critical
Secret Pattern

AWS access key ID in CHANGELOG.md

CHANGELOG.mdView on unpkg · L1882
lib/pure-utils.jsView file
659patternName = aws_access_key severity = critical line = 659 matchedText = // 1.10....E 등.
Critical
Secret Pattern

AWS access key ID in lib/pure-utils.js

lib/pure-utils.jsView on unpkg · L659

Findings

21 Critical5 High4 Medium5 Low
CriticalCritical Secretbin/leerness.js
CriticalSecret Patternbin/leerness.js
CriticalSecret Patternbin/leerness.js
CriticalSecret Patternbin/leerness.js
CriticalSecret Patternbin/leerness.js
CriticalSecret PatternCHANGELOG.md
CriticalSecret PatternCHANGELOG.md
CriticalSecret PatternCHANGELOG.md
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternlib/pure-utils.js
HighChild Processbin/leerness.js
HighShellbin/leerness.js
HighSame File Env Network Executionbin/leerness.js
HighCross File Remote Execution Contextscripts/e2e.js
HighRuntime Package Installbin/leerness.js
MediumDynamic Requirebin/leerness.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalbin/leerness.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings