registry  /  superclawd  /  0.1.2

superclawd@0.1.2

Claude Code, supercharged — your team's standards, every session. The superclawd CLI loads your workspace's skills, agents, commands, workflows, and live directives into Claude Code as a plugin.

Static Scan Results

scanned 4d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 463 KB of source, external domains: api.superclawd.com, claude.com, github.com, json-schema.org, mcp-api.superclawd.com, raw.githubusercontent.com, registry.npmjs.org, superclawd.com

Source & flagged code

5 flagged · loading source
dist/index.jsView file
2import { createRequire as __cr } from 'module'; const require = __cr(import.meta.url); L3: import{spawn as tn,spawnSync as Dr,execSync as Or}from"node:child_process";import{fileURLToPath as en}from"node:url";import{existsSync as nn}from"node:fs";import{resolve as Tr,dirn... L4: `,{mode:384});try{cn(Q,384)}catch{}}function Ne(){return P()?.preferences?.sk[redacted]===!0}function un(){return P()?.preferences?.notifications===!0}function Ge(){return P()?....
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L2
2import { createRequire as __cr } from 'module'; const require = __cr(import.meta.url); L3: import{spawn as tn,spawnSync as Dr,execSync as Or}from"node:child_process";import{fileURLToPath as en}from"node:url";import{existsSync as nn}from"node:fs";import{resolve as Tr,dirn... L4: `,{mode:384});try{cn(Q,384)}catch{}}function Ne(){return P()?.preferences?.sk[redacted]===!0}function un(){return P()?.preferences?.notifications===!0}function Ge(){return P()?....
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L2
2import { createRequire as __cr } from 'module'; const require = __cr(import.meta.url); L3: import{spawn as tn,spawnSync as Dr,execSync as Or}from"node:child_process";import{fileURLToPath as en}from"node:url";import{existsSync as nn}from"node:fs";import{resolve as Tr,dirn... L4: `,{mode:384});try{cn(Q,384)}catch{}}function Ne(){return P()?.preferences?.sk[redacted]===!0}function un(){return P()?.preferences?.notifications===!0}function Ge(){return P()?.... L5: `)}catch{}}function He(e,t){Ue(Be(e))||pn(e,{notifications:un(),...t?{workspace:t}:{}})}function qe(){Ue(Q)||G({credentials:{keyId:"",secret:"",workspace:""},preferences:{notificat... L6: `)};function dn(){try{switch(process.platform){case"darwin":return Se("caffeinate",["-i","-w",String(process.pid)],{stdio:"ignore"});case"linux":return Se("systemd-inhibit",["--wha...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L2
2import { createRequire as __cr } from 'module'; const require = __cr(import.meta.url); L3: import{spawn as tn,spawnSync as Dr,execSync as Or}from"node:child_process";import{fileURLToPath as en}from"node:url";import{existsSync as nn}from"node:fs";import{resolve as Tr,dirn... L4: `,{mode:384});try{cn(Q,384)}catch{}}function Ne(){return P()?.preferences?.sk[redacted]===!0}function un(){return P()?.preferences?.notifications===!0}function Ge(){return P()?.... L5: `)}catch{}}function He(e,t){Ue(Be(e))||pn(e,{notifications:un(),...t?{workspace:t}:{}})}function qe(){Ue(Q)||G({credentials:{keyId:"",secret:"",workspace:""},preferences:{notificat... L6: `)};function dn(){try{switch(process.platform){case"darwin":return Se("caffeinate",["-i","-w",String(process.pid)],{stdio:"ignore"});case"linux":return Se("systemd-inhibit",["--wha... L7: `);let r=Qe("npm install -g superclawd@latest",{stdio:"inherit",shell:!0});if(r.status!==0)return process.stderr.write(` ... L190: ${d}`:"";if(c>0&&A&&(a.PostToolUse=[{matcher:"*",hooks:[s(`remind "${r}" "${o}"`)]}],l.push({relPath:"hooks/reminder-context.txt",content:A})),f){let h={hooks:[i(`capture "${e.laun... L191: `),l=`#!/bin/sh L192: ${yt} ...
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L2
dist/mcp-server.mjsView file
5|| (${i} === "string" && ${o} && ${o} == +${o} && !(${o} % 1))`).assign(a,(0,L._)`+${o}`);return;case"boolean":n.elseIf((0,L._)`${o} === "false" || ${o} === 0 || ${o} === null`).as... L6: || ${i} === "boolean" || ${o} === null`).assign(a,(0,L._)`[${o}]`)}}}function tw({gen:t,parentData:e,parentDataProperty:r},n){t.if((0,L._)`${e} !== undefined`,()=>t.assign((0,L._)`... L7: missingProperty: ${n},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/mcp-server.mjsView on unpkg · L5

Findings

4 High3 Medium7 Low
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/mcp-server.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License