中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 0/100
Last scan:1 day ago Rescan
0 /100
wip-license-hook
License rug-pull detection and dependency license compliance for open source projects
wip-license-hook is a legitimate open-source license compliance scanner. All functionality is accurately declared in SKILL.md. Shell/network access is limited to declared package manager tools (git, npm, pip, cargo) for the sole purpose of querying license metadata from official registries.
Skill Namewip-license-hook
Duration42.4s
Enginepi
Safe to install
No action needed. The skill is safe to use.
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned SKILL.md declares requires.bins: [node, git, npm]; scanner.ts uses execSync for …
Filesystem READ+WRITE WRITE ✓ Aligned Reads LICENSE files, package.json, writes LICENSE-LEDGER.json and snapshots to p…
Network READ READ ✓ Aligned Only queries official registries (npm, pip, cargo) for license metadata — not ar…
7 findings
🔗
Medium External URL 外部 URL
https://img.shields.io/npm/v/@wipcomputer/wip-license-hook
README.md:3
🔗
Medium External URL 外部 URL
https://www.npmjs.com/package/@wipcomputer/wip-license-hook
README.md:3
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/interface-CLI_/_TUI-black
README.md:3
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/interface-MCP_Server-black
README.md:3
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/interface-Claude_Code_Skill-black
README.md:3
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/Universal_Interface_Spec-black?style=flat&color=black
README.md:3
🔗
Medium External URL 外部 URL
https://img.shields.io/badge/$
dist/core/reporter.js:213

File Tree

27 files · 91.5 KB · 2757 lines
TypeScript 12f · 1194L JavaScript 7f · 1016L Markdown 3f · 328L JSON 3f · 113L Shell 2f · 106L
├─ 📁 dist
│ ├─ 📁 cli
│ │ ├─ 📜 index.d.ts TypeScript 15L · 449 B
│ │ └─ 📜 index.js JavaScript 169L · 6.6 KB
│ └─ 📁 core
│ ├─ 📜 detector.d.ts TypeScript 12L · 564 B
│ ├─ 📜 detector.js JavaScript 103L · 2.9 KB
│ ├─ 📜 index.d.ts TypeScript 4L · 582 B
│ ├─ 📜 index.js JavaScript 4L · 495 B
│ ├─ 📜 ledger.d.ts TypeScript 49L · 1.7 KB
│ ├─ 📜 ledger.js JavaScript 71L · 2.1 KB
│ ├─ 📜 reporter.d.ts TypeScript 14L · 657 B
│ ├─ 📜 reporter.js JavaScript 226L · 9.7 KB
│ ├─ 📜 scanner.d.ts TypeScript 39L · 1.1 KB
│ └─ 📜 scanner.js JavaScript 324L · 11.4 KB
├─ 📁 hooks
│ ├─ 🔧 pre-pull.sh Shell 55L · 2.2 KB
│ └─ 🔧 pre-push.sh Shell 51L · 1.8 KB
├─ 📁 src
│ ├─ 📁 cli
│ │ └─ 📜 index.ts TypeScript 189L · 5.9 KB
│ └─ 📁 core
│ ├─ 📜 detector.ts TypeScript 130L · 3.1 KB
│ ├─ 📜 index.ts TypeScript 4L · 582 B
│ ├─ 📜 ledger.ts TypeScript 116L · 3.0 KB
│ ├─ 📜 reporter.ts TypeScript 255L · 9.6 KB
│ └─ 📜 scanner.ts TypeScript 367L · 10.9 KB
├─ 📝 CHANGELOG.md Markdown 17L · 723 B
├─ 📜 mcp-server.mjs JavaScript 119L · 3.6 KB
├─ 📋 package-lock.json JSON 54L · 1.6 KB
├─ 📋 package.json JSON 43L · 873 B
├─ 📝 README.md Markdown 200L · 6.1 KB
├─ 📝 SKILL.md Markdown 111L · 2.8 KB
└─ 📋 tsconfig.json JSON 16L · 345 B

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
@modelcontextprotocol/sdk ^1.0.0 npm No Pinned to major version range
typescript ^5.3.0 npm No DevDependency, not shipped
@types/node ^20.0.0 npm No DevDependency, not shipped

Security Positives

✓ SKILL.md accurately describes all functionality — no doc-to-code mismatch
✓ No credential harvesting or sensitive data access
✓ No obfuscation (base64, eval, atob)
✓ No reverse shell, C2, or data exfiltration
✓ Network access limited to official package registries (npmjs.com, PyPI, crates.io)
✓ All shell commands are standard package manager tools for the declared purpose
✓ Dependencies (@modelcontextprotocol/sdk) are pinned to major version ranges
✓ Git hooks are advisory or blocking only within the project scope
✓ No hidden functionality — every feature maps to declared capabilities
✓ Filesystem writes are scoped to the target project directory