registry  /  principles-disciple  /  1.190.0

principles-disciple@1.190.0

⚠ Under review

Native OpenClaw plugin for Principles Disciple

Static Scan Results

scanned 13d ago · by rust-scanner

Static analysis flagged 13 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 140 file(s), 1.05 MB of source, external domains: principles-disciple.dev

Source & flagged code

7 flagged · loading source
dist/core/rule-implementation-runtime.jsView file
1import { nodeVm } from '../utils/node-vm-polyfill.js'; L2: import { spawnSync } from 'node:child_process'; L3: /** Timeout (ms) for compiling RuleCode (defining evaluate + meta). */
High
Child Process

Package source references child process execution.

dist/core/rule-implementation-runtime.jsView on unpkg · L1
scripts/sync-plugin.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = principles-disciple@1.187.0 matchedIdentity = npm:cHJpbmNpcGxlcy1kaXNjaXBsZQ:1.187.0 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/sync-plugin.mjsView on unpkg
860try { L861: execSync(`"${localShim}" --version`, { stdio: 'pipe', shell: true }); L862: console.log(`✅ PD CLI shim verified: ${localShim}`);
High
Shell

Package source references shell execution.

scripts/sync-plugin.mjsView on unpkg · L860
1341package = principles-disciple; repositoryIdentity = principles; dependency = better-sqlite3 L1341: try { L1342: execSync(`node -e "require('better-sqlite3')"`, { cwd: INSTALL_DIR, stdio: 'pipe' }); L1343: console.log('✅ Native dependencies verified');
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

scripts/sync-plugin.mjsView on unpkg · L1341
389try { L390: execSync('npx tsc --emitDeclarationOnly', { L391: cwd: SOURCE_DIR,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/sync-plugin.mjsView on unpkg · L389
23import { fileURLToPath } from 'url'; L24: import { execSync } from 'child_process'; L25: L26: const __filename = fileURLToPath(import.meta.url); L27: const __dirname = dirname(__filename); L28: ... L38: function getHomeDir() { L39: return process.env.HOME L40: || process.env.USERPROFILE ... L52: const raw = readFileSync(configPath, 'utf-8'); L53: const config = JSON.parse(raw); L54: const workspace = config?.agents?.defaults?.workspace;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/sync-plugin.mjsView on unpkg · L23
dist/core/trajectory.jsView file
489) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) L490: `).run(input.sessionId, input.toolName, input.outcome, input.durationMs ?? null, input.exitCode ?? null, input.errorType ?? null, input.errorMessage ?? null, input.gfiBefore ?? nul... L491: return Number(result.lastInsertRowid); ... L759: summary: row.summary ? String(row.summary) : null, L760: metadata: JSON.parse(String(row.metadata_json ?? '{}')), L761: createdAt: String(row.created_at),
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/core/trajectory.jsView on unpkg · L489

Findings

1 Critical4 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltascripts/sync-plugin.mjs
HighChild Processdist/core/rule-implementation-runtime.js
HighShellscripts/sync-plugin.mjs
HighCopied Package Dependency Bridgescripts/sync-plugin.mjs
HighRuntime Package Installscripts/sync-plugin.mjs
MediumEnvironment Vars
MediumInstall Persistencescripts/sync-plugin.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/core/trajectory.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings