registry  /  polymath-analyzer  /  0.2.0

polymath-analyzer@0.2.0

Deterministic metrics from your local Claude Code / Codex agent logs — parallelism, flow, throughput, projects. Zero LLM, zero server, on-device.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 20 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
NoLicense
scanned 32 file(s), 14.2 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.openai.com, claude.com, code.claude.com, cursor.com, docs.github.com, github.com, help.x.com, huggingface.co, json-schema.org, lu.ma, modal.com, polymathsociety.us, reactjs.org, todoist.com, www.calnewport.com, www.julian.com, www.linkedin.com, www.w3.org, www.workatastartup.com, www.workfrom.co, www.youtube.com, x.com, zcbonfjgiorrxczyekxl.supabase.co

Source & flagged code

8 flagged · loading source
dist/index.jsView file
2997patternName = supabase_service_key severity = critical line = 2997 matchedText = var DEFA...d4";
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/index.jsView on unpkg · L2997
2997patternName = supabase_service_key severity = critical line = 2997 matchedText = var DEFA...d4";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/index.js

dist/index.jsView on unpkg · L2997
47} L48: if (text2 && text2.charCodeAt(0) === 65279) { L49: text2 = text2.slice(1); ... L143: /<task-notification>[\s\S]*?<\/task-notification>/g, L144: /<local-command-stdout>[\s\S]*?<\/local-command-stdout>/g, L145: /<local-command-caveat>[\s\S]*?<\/local-command-caveat>/g, ... L173: // ../coding-core/dist/raw.js L174: var claudeProjectsRoot = () => process.env.CLAUDE_PROJECTS_DIR || path.join(os.homedir(), ".claude", "projects"); L175: var codexSessionsRoot = () => process.env.CODEX_SESSIONS_DIR || path.join(os.homedir(), ".codex", "sessions"); ... L177: var cursorProjectsRoot = () => process.env.CURSOR_PROJECTS_DIR || path.join(os.homedir(), ".cursor", "projects"); L178: var SKIP_DIR_RE = /(private-var-folders|-T-ps-|--data(-|$)|-sources(-|$)|--conversations|-node-modules-|-tmp(-|$)|-polymath-rehearsal-|-polymath-overnight-)/; L179: var AGENT_CWD_RE = /(\/\.data(\/|$)|\.polymath-society|\/sources(\/|$)|\/var\/folders\/|\/T\/ps-|\/timeline(\/|$)|onboarding-digest|engine-pilot|polymath-rehearsal|polymath-overnig...
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L47
dist/pipeline/coding-aggregate.jsView file
14// ../../lib/agents/shared/tools.ts L15: import { execFile } from "child_process"; L16: import { promisify } from "util";
High
Child Process

Package source references child process execution.

dist/pipeline/coding-aggregate.jsView on unpkg · L14
dist/pipeline/coding-build.jsView file
436try { L437: mod = await import(NODE_SQLITE); L438: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/pipeline/coding-build.jsView on unpkg · L436
dist/pipeline/coding-gap.jsView file
145// ../../lib/agents/shared/cliAdapter.ts L146: import { spawn } from "child_process"; L147: import { promises as fs2 } from "fs"; ... L10094: availableTools = void 0, L10095: message = `Model tried to call unavailable tool '${toolName}'. ${availableTools === void 0 ? "No tools are available." : `Available tools: ${availableTools.join(", ")}.`}` L10096: }) { ... L11806: var _a17, _b, _c; L11807: return (_c = (_b = (_a17 = this.config).buildRequestUrl) == null ? void 0 : _b.call(_a17, this.config.baseURL, isStreaming)) != null ? _c : `${this.config.baseURL}/messages`; L11808: } ... L15586: try { L15587: const p = JSON.parse(readFileSync(path8.join(process.cwd(), ".data", "profile.json"), "utf-8")); L15588: const e = p?.preferredEngine;
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/pipeline/coding-gap.jsView on unpkg · L145
dist/cli.jsView file
3552patternName = supabase_service_key severity = critical line = 3552 matchedText = var DEFA...d4";
Critical
Secret Pattern

Supabase service role key (JWT) in dist/cli.js

dist/cli.jsView on unpkg · L3552
40Cross-file remote execution chain: dist/cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L40: try { L41: return JSON.parse(candidate); L42: } catch { ... L61: // src/grade/backends.ts L62: import { spawnSync } from "child_process"; L63: import { existsSync } from "fs"; ... L68: const r = spawnSync(bin, args, { encoding: "utf-8", timeout: PROBE_TIMEOUT_MS }); L69: return { code: r.status, text: `${r.stdout ?? ""}${r.stderr ?? ""}`.trim() }; L70: } catch { ... L75: if (envOverride) return envOverride; L76: const found = run("/bin/sh", ["-c", `command -v ${name17}`]); L77: if (found.code === 0 && found.text) return found.text.split("\n")[0];
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L40

Findings

3 Critical4 High4 Medium9 Low
CriticalCritical Secretdist/index.js
CriticalSecret Patterndist/index.js
CriticalSecret Patterndist/cli.js
HighChild Processdist/pipeline/coding-aggregate.js
HighShell
HighRemote Agent Bridgedist/pipeline/coding-gap.js
HighCross File Remote Execution Contextdist/cli.js
MediumDynamic Requiredist/pipeline/coding-build.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License