registry  /  leerness  /  1.36.10

leerness@1.36.10

⚠ Under review

Leerness: 비파괴 마이그레이션, 자동 버전 감지·업데이트, 계획/진행/핸드오프 자동화, 게으름·시크릿·인코딩 자동 가드, Claude Code 슬래시 통합을 갖춘 한국어 우선 AI 개발 하네스.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 39 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 2.25 MB of source, external domains: 127.0.0.1, 192.168.68.89, agentskills.io, aider.chat, antigravity.google.com, api.github.com, block.github.io, console.anthropic.com, developer.twitter.com, discord.com, docs.anthropic.com, docs.github.com, example.com, github.com, h.com, img.shields.io, leerness.pages.dev, o.com, ollama.com, open-meteo.com, opencode.ai, other.com, platform.openai.com, raw.githubusercontent.com, stripe.com, www.npmjs.com, www.w3.org, x.com

Source & flagged code

32 flagged · loading source
bin/leerness.jsView file
3012patternName = aws_access_key severity = critical line = 3012 matchedText = const fn...b');
Critical
Critical Secret

Package contains a critical-looking secret pattern.

bin/leerness.jsView on unpkg · L3012
matchType = previous_version_dangerous_delta matchedPackage = leerness@1.35.10 matchedIdentity = npm:bGVlcm5lc3M:1.35.10 similarity = 0.714 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/leerness.jsView on unpkg
3012patternName = aws_access_key severity = critical line = 3012 matchedText = const fn...b');
Critical
Secret Pattern

AWS access key ID in bin/leerness.js

bin/leerness.jsView on unpkg · L3012
3418patternName = aws_access_key severity = critical line = 3418 matchedText = const be...lse;
Critical
Secret Pattern

AWS access key ID in bin/leerness.js

bin/leerness.jsView on unpkg · L3418
3528patternName = aws_access_key severity = critical line = 3528 matchedText = return f...true
Critical
Secret Pattern

AWS access key ID in bin/leerness.js

bin/leerness.jsView on unpkg · L3528
3531patternName = aws_access_key severity = critical line = 3531 matchedText = && f('AK...alse
Critical
Secret Pattern

AWS access key ID in bin/leerness.js

bin/leerness.jsView on unpkg · L3531
5const path = require('path'); L6: const cp = require('child_process'); L7: const { log, ok, warn, fail, failJson, setQuiet, today, now, absRoot, exists, read, readBuf, mkdirp, writeUtf8, append, rel } = require('../lib/io'); // 1.9.382/383 (UR-0025): 출력/...
High
Child Process

Package source references child process execution.

bin/leerness.jsView on unpkg · L5
50try { L51: const r = cp.spawnSync('chcp.com', [], { encoding: 'utf8', timeout: 2000, shell: true }); L52: const out = (r.stdout || '') + (r.stderr || '');
High
Shell

Package source references shell execution.

bin/leerness.jsView on unpkg · L50
3018{ name: 'MCP notification 준수: id없는 요청 무응답 가드 + ping {} (UR-0049 설치리뷰 1.9.313)', run: () => { const src = read(__filename); const guard = src.includes("const isNotification = !('id'... L3019: { name: 'PowerShell 감지: pwsh7(channel/Documents\\PowerShell/install) + ps5.1 영구경로 과경고 안함 (UR-0052 설치리뷰 1.9.314)', run: () => { const f = _detectPwshFromEnv; const pwsh7a = f({ POWE... L3020: { name: 'doc/surface 정합: doctor 명령 + stale MCP 카운트 동적화(commands/banner) (UR-0054 설치리뷰 1.9.315)', run: () => { const src = read(__filename); const doctorOk = typeof doctorCmd === 'f... L3021: { name: 'drift 마커 버그: session-handoff 프론트매터는 ^--- 일 때만 + drift 최신 Last generated (1.9.316)', run: () => { const src = read(__filename); const scSrc = read(path.join(path.dirname(__... L3022: { name: '텔레메트리 분리: 내부 auto-call(LEERNESS_INTERNAL) usage 집계 제외 + 주요 spawn 마킹 (UR-0051 설치리뷰 1.9.317)', run: () => { const src = read(__filename); const guard = src.includes("process... L3023: { name: 'lib/pure-utils: HTML 파싱 유틸 3종 모듈 분리 + 동작 + 인라인 제거 (UR-0025 1.9.318)', run: () => { const m = require('../lib/pure-utils'); const fnOk = typeof m._htmlToText === 'function'...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/leerness.jsView on unpkg · L3018
5Cross-file remote execution chain: bin/leerness.js spawns scripts/e2e.js; helper contains network access plus dynamic code execution. L5: const path = require('path'); L6: const cp = require('child_process'); L7: const { log, ok, warn, fail, failJson, setQuiet, today, now, absRoot, exists, read, readBuf, mkdirp, writeUtf8, append, rel } = require('../lib/io'); // 1.9.382/383 (UR-0025): 출력/... ... L40: // 해결: 부작용을 _cliBootstrap() 으로 묶고 파일 끝 require.main 가드에서만 호출. import/단위테스트는 부작용 0. L41: // 1.9.249 (UR-0018): 터미널 출력 한국어 깨짐 사전 방지 (stdout UTF-8 + Windows 비-65001 시 chcp 65001 자동, opt-out LEERNESS_NO_AUTOCHCP=1). L42: function _ensureStdoutEncoding() { ... L46: } catch {} L47: if (process.platform !== 'win32') return; L48: if (process.env.LEERNESS_NO_AUTOCHCP === '1') return; L49: if (process.env._LEERNESS_CHCP_DONE === '1') return; // 자식 spawn 무한 재호출 방지 ... L70: if (w && (w.code === 'DEP0190' || /DEP0190/.test(String(w.message || '')))) return; L71: process.stderr.write(`(node:${process.pid}) ${w.name || 'Warning'}: ${w.message || w}\n`);
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/leerness.jsView on unpkg · L5
2652log(` 🖥 Hardware: ${env.hardware.cpus} CPUs · ${env.hardware.memGB} GB RAM`); L2653: log(` 🖱 Terminal: TTY=${env.terminal.isTTY}${env.terminal.powershell ? ` · PowerShell v${env.terminal.powershell}` : ''}`); L2654: log(` 🔧 Tools:`); ... L2664: // 1.9.254: leerness CLI PATH 자동 등록 (사용자 명시 UR-0019) L2665: // 배경: `npm i -g leerness` 했는데 npm global bin 이 PATH 에 없으면 `leerness` 명령이 안 먹힘. L2666: // 해결: global bin 경로 감지 + PATH 포함 여부 확인 → 미등록 시 플랫폼별 안전 등록 (opt-in --apply).
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/leerness.jsView on unpkg · L2652
3L4: const fs = require('fs'); L5: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/leerness.jsView on unpkg · L3
3104{ name: 'graph --html: 빈/미초기화 하네스 무크래시 + 유효 빈 HTML (1.35.0 방어가드)', run: () => { const m = require('../lib/graph'); let ok = false; const tmp = fs.mkdtempSync(path.join(os.tmpdir(),... L3105: { name: 'graph --html: 임베드 script JS 신택스 유효성(U+2028/정규식 리터럴 회귀 영구 차단, 1.35.2)', run: () => { const m = require('../lib/graph'); let ok = false; const tmp = fs.mkdtempSync(path.join... L3106: { name: '7번째 버그헌트 P1-A (UR-0104): 테이블셀 안전화 _cellSafe/_cellUnescape (파이프/개행 injection 차단) (1.9.399)', run: () => { const m = require('../lib/pure-utils'); if (m._cellSafe !== _cellS...
Low
Eval

Package source references a known benign dynamic code generation pattern.

bin/leerness.jsView on unpkg · L3104
CHANGELOG.mdView file
426patternName = aws_access_key severity = critical line = 426 matchedText = - **FN-g...귀 0.
Critical
Secret Pattern

AWS access key ID in CHANGELOG.md

CHANGELOG.mdView on unpkg · L426
1958patternName = aws_access_key severity = critical line = 1958 matchedText = - `_isPl... 차단.
Critical
Secret Pattern

AWS access key ID in CHANGELOG.md

CHANGELOG.mdView on unpkg · L1958
2158patternName = aws_access_key severity = critical line = 2158 matchedText = **🔑 `AKI...드.**
Critical
Secret Pattern

AWS access key ID in CHANGELOG.md

CHANGELOG.mdView on unpkg · L2158
scripts/e2e-core.jsView file
51patternName = aws_access_key severity = critical line = 51 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e-core.js

scripts/e2e-core.jsView on unpkg · L51
75patternName = aws_access_key severity = critical line = 75 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e-core.js

scripts/e2e-core.jsView on unpkg · L75
scripts/e2e.jsView file
4452patternName = aws_access_key severity = critical line = 4452 matchedText = fs.write...8');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L4452
5002patternName = npm_token severity = critical line = 5002 matchedText = fs.write...n');
Critical
Secret Pattern

npm access token in scripts/e2e.js

scripts/e2e.jsView on unpkg · L5002
5421patternName = npm_token severity = critical line = 5421 matchedText = fs.write...n');
Critical
Secret Pattern

npm access token in scripts/e2e.js

scripts/e2e.jsView on unpkg · L5421
5979patternName = github_pat severity = critical line = 5979 matchedText = fs.write...;');
Critical
Secret Pattern

GitHub personal access token in scripts/e2e.js

scripts/e2e.jsView on unpkg · L5979
6130patternName = github_pat severity = critical line = 6130 matchedText = fs.write...n');
Critical
Secret Pattern

GitHub personal access token in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6130
6130patternName = aws_access_key severity = critical line = 6130 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6130
6137patternName = aws_access_key severity = critical line = 6137 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6137
6144patternName = github_pat severity = critical line = 6144 matchedText = fs.write...n');
Critical
Secret Pattern

GitHub personal access token in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6144
6144patternName = aws_access_key severity = critical line = 6144 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6144
6150patternName = aws_access_key severity = critical line = 6150 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6150
6559patternName = aws_access_key severity = critical line = 6559 matchedText = fs.write...n');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6559
6639patternName = aws_access_key severity = critical line = 6639 matchedText = fs.write...;');
Critical
Secret Pattern

AWS access key ID in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6639
6860patternName = private_key_rsa severity = critical line = 6860 matchedText = fs.write...n');
Critical
Secret Pattern

RSA private key in scripts/e2e.js

scripts/e2e.jsView on unpkg · L6860
lib/pure-utils.jsView file
660patternName = aws_access_key severity = critical line = 660 matchedText = // 1.10....E 등.
Critical
Secret Pattern

AWS access key ID in lib/pure-utils.js

lib/pure-utils.jsView on unpkg · L660

Findings

25 Critical5 High4 Medium5 Low
CriticalCritical Secretbin/leerness.js
CriticalPrevious Version Dangerous Deltabin/leerness.js
CriticalSecret Patternbin/leerness.js
CriticalSecret Patternbin/leerness.js
CriticalSecret Patternbin/leerness.js
CriticalSecret Patternbin/leerness.js
CriticalSecret PatternCHANGELOG.md
CriticalSecret PatternCHANGELOG.md
CriticalSecret PatternCHANGELOG.md
CriticalSecret Patternscripts/e2e-core.js
CriticalSecret Patternscripts/e2e-core.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternscripts/e2e.js
CriticalSecret Patternlib/pure-utils.js
HighChild Processbin/leerness.js
HighShellbin/leerness.js
HighSame File Env Network Executionbin/leerness.js
HighCross File Remote Execution Contextbin/leerness.js
HighRuntime Package Installbin/leerness.js
MediumDynamic Requirebin/leerness.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalbin/leerness.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings