registry  /  wizz-method  /  1.3.2

wizz-method@1.3.2

Wizz Method — método de agência orientado por IA em PT-BR (fork independente do BMad Method)

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 18 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 80 file(s), 1.06 MB of source, external domains: api.github.com, bmadcode.com, example.com, github.com, harrymkt.github.io, method.wizzcomms.com, openspeech.bytedance.com, registry.npmjs.org, www.w3.org, yekta.dev

Source & flagged code

9 flagged · loading source
tools/bundle-web-bundles.jsView file
15const path = require('node:path'); L16: const { execSync, execFileSync } = require('node:child_process'); L17:
High
Child Process

Package source references child process execution.

tools/bundle-web-bundles.jsView on unpkg · L15
13L14: const fs = require('node:fs'); L15: const path = require('node:path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

tools/bundle-web-bundles.jsView on unpkg · L13
src/skills-lib/huashu-design/scripts/tts-doubao.mjsView file
14* L15: * env(自动从 skill 根目录 .env 读取,也可走 process.env 覆盖): L16: * DOUBAO_TTS_API_KEY 必填 ... L18: * DOUBAO_TTS_CLUSTER 默认 volcano_icl L19: * DOUBAO_TTS_ENDPOINT 默认 https://openspeech.bytedance.com/api/v1/tts L20: */ ... L23: import path from 'node:path'; L24: import { execFileSync } from 'node:child_process'; L25: import { fileURLToPath } from 'node:url';
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/skills-lib/huashu-design/scripts/tts-doubao.mjsView on unpkg · L14
tools/installer/yaml-format.jsView file
145// Use yaml-lint for additional validation L146: execSync(`npx yaml-lint "${filePath}"`, { stdio: 'pipe' }); L147: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

tools/installer/yaml-format.jsView on unpkg · L145
tools/validate-svg-changes.shView file
path = tools/validate-svg-changes.sh kind = build_helper sizeBytes = 11240 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

tools/validate-svg-changes.shView on unpkg
build/site/pagefind/wasm.unknown.pagefindView file
path = build/site/pagefind/wasm.unknown.pagefind kind = high_entropy_blob sizeBytes = 52697 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

build/site/pagefind/wasm.unknown.pagefindView on unpkg
path = build/site/pagefind/wasm.unknown.pagefind kind = compressed_blob sizeBytes = 52697 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

build/site/pagefind/wasm.unknown.pagefindView on unpkg
src/bmm-skills/3-solutioning/wizz-architecture/scripts/tests/test_lint_spine.pyView file
path = src/bmm-skills/3-solutioning/wizz-architecture/scripts/tests/test_lint_spine.py kind = payload_in_excluded_dir sizeBytes = 9932 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

src/bmm-skills/3-solutioning/wizz-architecture/scripts/tests/test_lint_spine.pyView on unpkg
src/skills-lib/graphify/SKILL.mdView file
527patternName = generic_password severity = medium line = 527 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in src/skills-lib/graphify/SKILL.md

src/skills-lib/graphify/SKILL.mdView on unpkg · L527

Findings

6 High7 Medium5 Low
HighChild Processtools/bundle-web-bundles.js
HighShell
HighSame File Env Network Executionsrc/skills-lib/huashu-design/scripts/tts-doubao.mjs
HighRuntime Package Installtools/installer/yaml-format.js
HighShips High Entropy Blobbuild/site/pagefind/wasm.unknown.pagefind
HighPayload In Excluded Dirsrc/bmm-skills/3-solutioning/wizz-architecture/scripts/tests/test_lint_spine.py
MediumDynamic Requiretools/bundle-web-bundles.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertools/validate-svg-changes.sh
MediumShips Compressed Blobbuild/site/pagefind/wasm.unknown.pagefind
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/skills-lib/graphify/SKILL.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings