registry  /  superclawd  /  0.1.6

superclawd@0.1.6

⚠ Under review

Claude Code, supercharged — your team's standards, every session. The superclawd CLI loads your workspace's skills, agents, commands, workflows, and live directives into Claude Code as a plugin.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 3 file(s), 465 KB of source, external domains: api.superclawd.com, claude.com, github.com, json-schema.org, mcp-api.superclawd.com, raw.githubusercontent.com, registry.npmjs.org, superclawd.com

Source & flagged code

6 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = superclawd@0.1.2 matchedIdentity = npm:c3VwZXJjbGF3ZA:0.1.2 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
2import { createRequire as __cr } from 'module'; const require = __cr(import.meta.url); L3: import{spawn as fn,spawnSync as zr,execSync as Qr}from"node:child_process";import{fileURLToPath as dn}from"node:url";import{existsSync as mn}from"node:fs";import{resolve as Zr,dirn... L4: `,{mode:384});try{kn(ee,384)}catch{}}function Ye(){return b()?.preferences?.sk[redacted]===!0}function En(){return b()?.preferences?.notifications===!0}function Be(){return b()?...
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L2
2import { createRequire as __cr } from 'module'; const require = __cr(import.meta.url); L3: import{spawn as fn,spawnSync as zr,execSync as Qr}from"node:child_process";import{fileURLToPath as dn}from"node:url";import{existsSync as mn}from"node:fs";import{resolve as Zr,dirn... L4: `,{mode:384});try{kn(ee,384)}catch{}}function Ye(){return b()?.preferences?.sk[redacted]===!0}function En(){return b()?.preferences?.notifications===!0}function Be(){return b()?...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L2
2import { createRequire as __cr } from 'module'; const require = __cr(import.meta.url); L3: import{spawn as fn,spawnSync as zr,execSync as Qr}from"node:child_process";import{fileURLToPath as dn}from"node:url";import{existsSync as mn}from"node:fs";import{resolve as Zr,dirn... L4: `,{mode:384});try{kn(ee,384)}catch{}}function Ye(){return b()?.preferences?.sk[redacted]===!0}function En(){return b()?.preferences?.notifications===!0}function Be(){return b()?... L5: `)}catch{}}function ze(e,t,n=!1){Fe(Xe(e))||Cn(e,{notifications:n?!1:En(),...t?{workspace:t}:{}})}function Qe(){Fe(ee)||G({credentials:{keyId:"",secret:"",workspace:""},preferences... L6: `)};function Rn(){try{switch(process.platform){case"darwin":return ye("caffeinate",["-i","-w",String(process.pid)],{stdio:"ignore"});case"linux":return ye("systemd-inhibit",["--wha...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L2
2import { createRequire as __cr } from 'module'; const require = __cr(import.meta.url); L3: import{spawn as fn,spawnSync as zr,execSync as Qr}from"node:child_process";import{fileURLToPath as dn}from"node:url";import{existsSync as mn}from"node:fs";import{resolve as Zr,dirn... L4: `,{mode:384});try{kn(ee,384)}catch{}}function Ye(){return b()?.preferences?.sk[redacted]===!0}function En(){return b()?.preferences?.notifications===!0}function Be(){return b()?... L5: `)}catch{}}function ze(e,t,n=!1){Fe(Xe(e))||Cn(e,{notifications:n?!1:En(),...t?{workspace:t}:{}})}function Qe(){Fe(ee)||G({credentials:{keyId:"",secret:"",workspace:""},preferences... L6: `)};function Rn(){try{switch(process.platform){case"darwin":return ye("caffeinate",["-i","-w",String(process.pid)],{stdio:"ignore"});case"linux":return ye("systemd-inhibit",["--wha... L7: `)}async function Re(e,t,n){let r=Pn.createInterface({input:process.stdin,output:process.stderr});try{process.stderr.write(` ... L189: ${d}`:"";if(c>0&&A&&(a.PostToolUse=[{matcher:"*",hooks:[s(`remind "${r}" "${o}"`)]}],l.push({relPath:"hooks/reminder-context.txt",content:A})),f){let h={hooks:[i(`capture "${e.laun... L190: `),l=`#!/bin/sh L191: ${Mt}
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L2
dist/mcp-server.mjsView file
5|| (${i} === "string" && ${o} && ${o} == +${o} && !(${o} % 1))`).assign(a,(0,L._)`+${o}`);return;case"boolean":n.elseIf((0,L._)`${o} === "false" || ${o} === 0 || ${o} === null`).as... L6: || ${i} === "boolean" || ${o} === null`).assign(a,(0,L._)`[${o}]`)}}}function tw({gen:t,parentData:e,parentDataProperty:r},n){t.if((0,L._)`${e} !== undefined`,()=>t.assign((0,L._)`... L7: missingProperty: ${n},
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/mcp-server.mjsView on unpkg · L5

Findings

1 Critical4 High3 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/mcp-server.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License