registry  /  monomind  /  2.0.0

monomind@2.0.0

⚠ Under review

Monomind - Power toolkit for Claude Code. Autonomous agent orgs, codebase knowledge graph, keyword-routed specialist prompts, and 80+ slash commands. One init, then walk away.

Static Scan Results

scanned 12h ago · by rust-scanner

Static analysis flagged 24 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 361 file(s), 4.30 MB of source, external domains: 127.0.0.1, a2a-protocol.org, accounts.google.com, api.anthropic.com, api.github.com, api.osv.dev, api.pinata.cloud, api.web3.storage, cdn.jsdelivr.net, cdnjs.cloudflare.com, cli.github.com, cloud.google.com, cloudflare-ipfs.com, dweb.link, gateway.pinata.cloud, gemini.google.com, generativelanguage.googleapis.com, git-scm.com, github.com, ipfs.io, login.microsoftonline.com, nodejs.org, pinata.cloud, registry.npmjs.org, services.nvd.nist.gov, storage.googleapis.com, w3s.link, web3.storage, www.instagram.com, www.linkedin.com, www.w3.org, x.com

Source & flagged code

17 flagged · loading source
package.jsonView file
scripts.postinstall = find node_modules -name '._*' -delete 2>/dev/null || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = find node_modules -name '._*' -delete 2>/dev/null || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
README.mdView file
isSafe('Ignore all previous instructions'); // → false (~0.04ms)
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg
packages/@monomind/cli/dist/src/mcp-tools/quality/security-compliance/detect-secrets.jsView file
282patternName = generic_password severity = medium line = 282 matchedText = password...er',
Medium
Secret Pattern

Package contains a possible secret pattern.

packages/@monomind/cli/dist/src/mcp-tools/quality/security-compliance/detect-secrets.jsView on unpkg · L282
scripts/ua-enrich.mjsView file
34import { fileURLToPath } from 'url'; L35: import { execSync, spawnSync } from 'child_process'; L36:
High
Child Process

Package source references child process execution.

scripts/ua-enrich.mjsView on unpkg · L34
packages/@monomind/cli/dist/src/init/statusline-generator.jsView file
186L187: const raw = safeExec(\`sh -c '\${script}'\`, 3000); L188: if (!raw) return result;
High
Shell

Package source references shell execution.

packages/@monomind/cli/dist/src/init/statusline-generator.jsView on unpkg · L186
41const path = require('path'); L42: const { execSync } = require('child_process'); L43: const os = require('os'); ... L49: L50: const CWD = process.env.CLAUDE_PROJECT_DIR || process.cwd(); L51: L52: // Read monomind version — check global install first, then CWD package.json L53: function getVersion() { ... L66: if (!pkgStat || pkgStat.size > 1024 * 1024) continue; L67: const pkg = JSON.parse(fs.readFileSync(p, 'utf-8')); L68: if (pkg.version && (pkg.name === 'monomind' || pkg.name === '@monomind/cli' || (pkg.name || '').startsWith('@monomind'))) { ... L1329: if (!options.statusline.enabled) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

packages/@monomind/cli/dist/src/init/statusline-generator.jsView on unpkg · L41
packages/@monomind/cli/dist/src/workflow/condition-evaluator.jsView file
78// eslint-disable-next-line @typescript-eslint/no-implied-eval L79: const fn = new Function(`"use strict"; return (${resolved});`); L80: return Boolean(fn());
Low
Eval

Package source references a known benign dynamic code generation pattern.

packages/@monomind/cli/dist/src/workflow/condition-evaluator.jsView on unpkg · L78
bin/cli.jsView file
10const cliPath = join(__dirname, '..', 'packages', '@monomind', 'cli', 'bin', 'cli.js'); L11: await import(pathToFileURL(cliPath).href);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/cli.jsView on unpkg · L10
packages/@monomind/cli/dist/src/services/crash-reporter.jsView file
15import { createHash } from 'crypto'; L16: import { execFile } from 'child_process'; L17: import { promisify } from 'util'; L18: const execFileAsync = promisify(execFile); L19: const STATE_DIR = join(homedir(), '.monomind'); L20: const CONFIG_PATH = join(STATE_DIR, 'crash-reporting.json'); ... L40: return fallback; L41: return JSON.parse(readFileSync(path, 'utf8')); L42: } ... L85: /(?:token|bearer)\s*[:=]\s*['"]?[^\s'"]{10,}['"]?/gi, L86: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g, L87: /sk-[a-zA-Z0-9]{20,}/g,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

packages/@monomind/cli/dist/src/services/crash-reporter.jsView on unpkg · L15
packages/@monomind/cli/dist/src/commands/providers.jsView file
30output.printError('Provider name is required. Use -p <name> or pass as first argument.'); L31: return { success: false, exitCode: 1 }; L32: } L33: const cwd = process.cwd(); L34: const config = configManager.getConfig(cwd); ... L109: test: async () => { L110: const key = process.env.ANTHROPIC_API_KEY || getConfigApiKey('anthropic'); L111: if (key) ... L137: const entry = configuredProviders.find((p) => typeof p.name === 'string' && p.name.toLowerCase() === 'ollama'); L138: const baseUrl = entry?.baseUrl || 'http://localhost:11434'; L139: let parsedBaseUrl; ... L148: }
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

packages/@monomind/cli/dist/src/commands/providers.jsView on unpkg · L30
packages/@monomind/cli/dist/workflow/builtin-handlers.jsView file
68var node_path_1 = require("node:path"); L69: var node_child_process_1 = require("node:child_process"); L70: // Call npx monomind browse <args> and return stdout. Never throws. L71: function browseCmd(args, timeoutMs) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

packages/@monomind/cli/dist/workflow/builtin-handlers.jsView on unpkg · L68
scripts/install.shView file
path = scripts/install.sh kind = build_helper sizeBytes = 12269 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/install.shView on unpkg
packages/@monomind/cli/dist/src/init/executor.jsView file
matchType = previous_version_dangerous_delta matchedPackage = monomind@1.16.11 matchedIdentity = npm:bW9ub21pbmQ:1.16.11 similarity = 0.592 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

packages/@monomind/cli/dist/src/init/executor.jsView on unpkg
packages/@monomind/cli/.claude/agents/core/reviewer.mdView file
85patternName = generic_password severity = medium line = 85 matchedText = console....rd);
Medium
Secret Pattern

Hardcoded password in packages/@monomind/cli/.claude/agents/core/reviewer.md

packages/@monomind/cli/.claude/agents/core/reviewer.mdView on unpkg · L85
packages/@monomind/cli/.claude/agents/testing/testing-api-tester.mdView file
78patternName = generic_password severity = medium line = 78 matchedText = password...ord'
Medium
Secret Pattern

Hardcoded password in packages/@monomind/cli/.claude/agents/testing/testing-api-tester.md

packages/@monomind/cli/.claude/agents/testing/testing-api-tester.mdView on unpkg · L78
packages/@monomind/cli/.claude/agents/testing/testing-performance-benchmarker.mdView file
94patternName = generic_password severity = medium line = 94 matchedText = password...123'
Medium
Secret Pattern

Hardcoded password in packages/@monomind/cli/.claude/agents/testing/testing-performance-benchmarker.md

packages/@monomind/cli/.claude/agents/testing/testing-performance-benchmarker.mdView on unpkg · L94

Findings

1 Critical6 High11 Medium6 Low
CriticalPrevious Version Dangerous Deltapackages/@monomind/cli/dist/src/init/executor.js
HighInstall Time Lifecycle Scriptspackage.json
HighAi Reviewer ManipulationREADME.md
HighChild Processscripts/ua-enrich.mjs
HighShellpackages/@monomind/cli/dist/src/init/statusline-generator.js
HighCloud Metadata Accesspackages/@monomind/cli/dist/src/commands/providers.js
HighRuntime Package Installpackages/@monomind/cli/dist/workflow/builtin-handlers.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumSecret Patternpackages/@monomind/cli/dist/src/mcp-tools/quality/security-compliance/detect-secrets.js
MediumDynamic Requirebin/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencepackages/@monomind/cli/dist/src/init/statusline-generator.js
MediumShips Build Helperscripts/install.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternpackages/@monomind/cli/.claude/agents/core/reviewer.md
MediumSecret Patternpackages/@monomind/cli/.claude/agents/testing/testing-api-tester.md
MediumSecret Patternpackages/@monomind/cli/.claude/agents/testing/testing-performance-benchmarker.md
LowScripts Present
LowEvalpackages/@monomind/cli/dist/src/workflow/condition-evaluator.js
LowWeak Cryptopackages/@monomind/cli/dist/src/services/crash-reporter.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings