https://github.com/obra/superpowers ·
lang: javascript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED044 Js Console Log Prod |
info | 2 |
AGT012 Agent control bridge may listen on a network interface with… |
medium | 1 |
SEC085 JS: child_process.exec with non-literal |
high | 1 |
SEC006 XSS Risk |
high | 1 |
CORE_NO_CI No CI/CD configuration found |
medium | 1 |
AIC009 Multiple AI-agent scaffold marker files are present |
low | 1 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 1 |
MINED043 Http Not Https |
info | 1 |
MINED004 Weak Crypto |
high | 1 |
SEC128 Async function without await — fire-and-forget Promise (AI … |
high | 1 |
MINED004
Weak Crypto
CWE-327
skills/brainstorming/scripts/server.cjs:12
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).SEC085
JS: child_process.exec with non-literal
skills/writing-skills/render-graphs.js:25
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC128
Async function without await — fire-and-forget Promise (AI mistake)
skills/brainstorming/scripts/server.cjs:190
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT012
Agent control bridge may listen on a network interface without visible auth
skills/brainstorming/scripts/start-server.sh:12
· conf 0.72
Agent control bridge may listen on a network interface without visible authCORE_NO_CI
No CI/CD configuration found
No CI/CD configuration foundSEC045
eval()/exec() on stored or user-supplied data
skills/writing-skills/render-graphs.js:25
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …AIC009
Multiple AI-agent scaffold marker files are present
AGENTS.md:1
· conf 0.68
Multiple AI-agent scaffold marker files are presentSEC006
XSS Risk
skills/brainstorming/scripts/helper.js:57
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC132
String concat where the language has interpolation (AI style drift)
skills/brainstorming/scripts/server.cjs:103
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…MINED043
Http Not Https
CWE-319
skills/brainstorming/scripts/server.cjs:342
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
skills/brainstorming/scripts/server.cjs:229
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
skills/writing-skills/render-graphs.js:78
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED098
Global Scope Pollution
skills/brainstorming/scripts/helper.js:65
· conf 1.00
[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming colli…Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/ae44555f-5cc0-4369-8639-1c7618a9077e/.