registry  /  principles-disciple  /  1.174.0

principles-disciple@1.174.0

Native OpenClaw plugin for Principles Disciple

Static Scan Results

scanned 15d ago · by rust-scanner

Static analysis flagged 11 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 141 file(s), 1.05 MB of source

Source & flagged code

6 flagged · loading source
dist/core/rule-implementation-runtime.jsView file
1import { nodeVm } from '../utils/node-vm-polyfill.js'; L2: import { spawnSync } from 'node:child_process'; L3: /** Timeout (ms) for compiling RuleCode (defining evaluate + meta). */
High
Child Process

Package source references child process execution.

dist/core/rule-implementation-runtime.jsView on unpkg · L1
scripts/sync-plugin.mjsView file
848try { L849: execSync(`"${localShim}" --version`, { stdio: 'pipe', shell: true }); L850: console.log(`✅ PD CLI shim verified: ${localShim}`);
High
Shell

Package source references shell execution.

scripts/sync-plugin.mjsView on unpkg · L848
1329package = principles-disciple; repositoryIdentity = principles; dependency = better-sqlite3 L1329: try { L1330: execSync(`node -e "require('better-sqlite3')"`, { cwd: INSTALL_DIR, stdio: 'pipe' }); L1331: console.log('✅ Native dependencies verified');
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

scripts/sync-plugin.mjsView on unpkg · L1329
915try { L916: execSync('npm install --omit=dev --no-audit --no-fund --prefer-offline', { L917: cwd: INSTALL_DIR,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/sync-plugin.mjsView on unpkg · L915
23import { fileURLToPath } from 'url'; L24: import { execSync } from 'child_process'; L25: L26: const __filename = fileURLToPath(import.meta.url); L27: const __dirname = dirname(__filename); L28: ... L38: function getHomeDir() { L39: return process.env.HOME L40: || process.env.USERPROFILE ... L52: const raw = readFileSync(configPath, 'utf-8'); L53: const config = JSON.parse(raw); L54: const workspace = config?.agents?.defaults?.workspace;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/sync-plugin.mjsView on unpkg · L23
dist/core/trajectory.jsView file
489) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) L490: `).run(input.sessionId, input.toolName, input.outcome, input.durationMs ?? null, input.exitCode ?? null, input.errorType ?? null, input.errorMessage ?? null, input.gfiBefore ?? nul... L491: return Number(result.lastInsertRowid); ... L759: summary: row.summary ? String(row.summary) : null, L760: metadata: JSON.parse(String(row.metadata_json ?? '{}')), L761: createdAt: String(row.created_at),
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/trajectory.jsView on unpkg · L489

Findings

4 High3 Medium4 Low
HighChild Processdist/core/rule-implementation-runtime.js
HighShellscripts/sync-plugin.mjs
HighCopied Package Dependency Bridgescripts/sync-plugin.mjs
HighRuntime Package Installscripts/sync-plugin.mjs
MediumEnvironment Vars
MediumInstall Persistencescripts/sync-plugin.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/core/trajectory.js
LowFilesystem
LowHigh Entropy Strings