registry  /  sma-framework  /  3.6.0

sma-framework@3.6.0

SMA (Shared Memory & Automation) - the accountability layer for AI coding agents: layered memory, multi-terminal coordination without a server, and verified claims. Plain files + git, zero LLM in the hot path. Install: npx -y sma-framework@latest init

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 25 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 215 file(s), 4.26 MB of source, external domains: api.npmjs.org, api.search.brave.com, bitbucket.org, crates.io, docs.cline.bot, github.com, gitlab.com, img.shields.io, pypi.org, raw.githubusercontent.com, registry.npmjs.org, selftest.local, www.codebuddy.ai

Source & flagged code

16 flagged · loading source
scripts/sma/__tests__/profile.test.tsView file
124patternName = github_pat severity = critical line = 124 matchedText = expect(s...rue)
Critical
Critical Secret

Package contains a critical-looking secret pattern.

scripts/sma/__tests__/profile.test.tsView on unpkg · L124
124patternName = github_pat severity = critical line = 124 matchedText = expect(s...rue)
Critical
Secret Pattern

GitHub personal access token in scripts/sma/__tests__/profile.test.ts

scripts/sma/__tests__/profile.test.tsView on unpkg · L124
125patternName = aws_access_key severity = critical line = 125 matchedText = expect(s...rue)
Critical
Secret Pattern

AWS access key ID in scripts/sma/__tests__/profile.test.ts

scripts/sma/__tests__/profile.test.tsView on unpkg · L125
bin/init.mjsView file
350try { L351: const { pathToFileURL } = await import('node:url'); L352: const embed = await import(pathToFileURL(path.join(pkgRoot, 'scripts', 'sma', 'lib', 'claude-embed.mjs')).href);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/init.mjsView on unpkg · L350
scripts/sma/lib/registry.mjsView file
32import { fileURLToPath } from 'node:url' L33: import { execFileSync, spawn as childSpawn } from 'node:child_process' L34: import { createHash } from 'node:crypto' ... L97: export function resolveTerminalIdentity(opts = {}) { L98: const env = opts.env ?? process.env L99: const pid = opts.pid ?? process.pid ... L147: export function smaRoot(opts = {}) { L148: const cwd = opts.cwd ?? process.cwd() L149: try {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

scripts/sma/lib/registry.mjsView on unpkg · L32
sma-core/bin/lib/shell-command-projection.cjsView file
17Object.defineProperty(exports, "__esModule", { value: true }); L18: exports.[redacted] = [redacted]; L19: exports.formatHookCommandForRuntime = formatHookCommandForRuntime; ... L64: function [redacted](opts = {}) { L65: const platform = opts.platform || process.platform; L66: const runtime = opts.runtime || 'generic'; ... L345: { L346: label: 'cmd.exe', L347: shell: 'cmd', ... L352: shell: 'bash', L353: command: `echo 'export PATH="${bashTargetDir}:$PATH"' >> ~/.bashrc`, L354: },
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

sma-core/bin/lib/shell-command-projection.cjsView on unpkg · L17
sma-core/workflows/_runtime-launcher.snippet.shView file
path = sma-core/workflows/_runtime-launcher.snippet.sh kind = build_helper sizeBytes = 4466 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

sma-core/workflows/_runtime-launcher.snippet.shView on unpkg
scripts/sma/__tests__/lint.test.tsView file
819patternName = aws_access_key severity = critical line = 819 matchedText = const aw...ET')
Critical
Secret Pattern

AWS access key ID in scripts/sma/__tests__/lint.test.ts

scripts/sma/__tests__/lint.test.tsView on unpkg · L819
scripts/sma/__tests__/flight.test.tsView file
141patternName = aws_access_key severity = critical line = 141 matchedText = const aw...nd')
Critical
Secret Pattern

AWS access key ID in scripts/sma/__tests__/flight.test.ts

scripts/sma/__tests__/flight.test.tsView on unpkg · L141
144patternName = private_key_rsa severity = critical line = 144 matchedText = const pk...--')
Critical
Secret Pattern

RSA private key in scripts/sma/__tests__/flight.test.ts

scripts/sma/__tests__/flight.test.tsView on unpkg · L144
169patternName = aws_access_key severity = critical line = 169 matchedText = journalT... }],
Critical
Secret Pattern

AWS access key ID in scripts/sma/__tests__/flight.test.ts

scripts/sma/__tests__/flight.test.tsView on unpkg · L169
172patternName = aws_access_key severity = critical line = 172 matchedText = expect(c...LE')
Critical
Secret Pattern

AWS access key ID in scripts/sma/__tests__/flight.test.ts

scripts/sma/__tests__/flight.test.tsView on unpkg · L172
180patternName = aws_access_key severity = critical line = 180 matchedText = expect(i...LE')
Critical
Secret Pattern

AWS access key ID in scripts/sma/__tests__/flight.test.ts

scripts/sma/__tests__/flight.test.tsView on unpkg · L180
181patternName = aws_access_key severity = critical line = 181 matchedText = expect(p...LE')
Critical
Secret Pattern

AWS access key ID in scripts/sma/__tests__/flight.test.ts

scripts/sma/__tests__/flight.test.tsView on unpkg · L181
226patternName = aws_access_key severity = critical line = 226 matchedText = const le...E\n'
Critical
Secret Pattern

AWS access key ID in scripts/sma/__tests__/flight.test.ts

scripts/sma/__tests__/flight.test.tsView on unpkg · L226
229patternName = aws_access_key severity = critical line = 229 matchedText = expect(w...LE')
Critical
Secret Pattern

AWS access key ID in scripts/sma/__tests__/flight.test.ts

scripts/sma/__tests__/flight.test.tsView on unpkg · L229

Findings

12 Critical7 Medium6 Low
CriticalCritical Secretscripts/sma/__tests__/profile.test.ts
CriticalSecret Patternscripts/sma/__tests__/profile.test.ts
CriticalSecret Patternscripts/sma/__tests__/profile.test.ts
CriticalSecret Patternscripts/sma/__tests__/lint.test.ts
CriticalSecret Patternscripts/sma/__tests__/flight.test.ts
CriticalSecret Patternscripts/sma/__tests__/flight.test.ts
CriticalSecret Patternscripts/sma/__tests__/flight.test.ts
CriticalSecret Patternscripts/sma/__tests__/flight.test.ts
CriticalSecret Patternscripts/sma/__tests__/flight.test.ts
CriticalSecret Patternscripts/sma/__tests__/flight.test.ts
CriticalSecret Patternscripts/sma/__tests__/flight.test.ts
CriticalSecret Patternscripts/sma/__tests__/flight.test.ts
MediumDynamic Requirebin/init.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencesma-core/bin/lib/shell-command-projection.cjs
MediumProtestware
MediumShips Build Helpersma-core/workflows/_runtime-launcher.snippet.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptoscripts/sma/lib/registry.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings