Security Findings in Executable Artifacts
While auditing NL programming artifacts in this repository, our scanner detected potential security issues in executable files.
Findings
| # |
Severity |
File |
Line |
Pattern |
Description |
| 1 |
High |
scripts/check-i18n-consistency.js |
91 |
eval-equivalent (new Function) |
new Function(\return ${str}`)()` evaluates translation file content as JavaScript; if a translation file is maliciously crafted, arbitrary code executes in the developer's environment |
| 2 |
High |
package.json |
42 |
postinstall-script |
"prepare": "husky" runs automatically on npm install; standard husky pattern but executes code on install — see false_positive note in sidecar |
About This Report
These findings come from NLPM's security scanner, which checks executable surfaces (hooks, scripts, MCP configs, dependencies) against known-dangerous patterns.
We may be wrong — false positives happen. If any finding is intentional or already mitigated, please close this issue. If a finding is genuine and you'd like a fix PR, let us know.
Full audit report: https://github.com/xiaolai/nlpm-for-claude/blob/main/auditor/audits/refly-ai-refly.md
Security Findings in Executable Artifacts
While auditing NL programming artifacts in this repository, our scanner detected potential security issues in executable files.
Findings
new Function(\return ${str}`)()` evaluates translation file content as JavaScript; if a translation file is maliciously crafted, arbitrary code executes in the developer's environment"prepare": "husky"runs automatically onnpm install; standard husky pattern but executes code on install — see false_positive note in sidecarAbout This Report
These findings come from NLPM's security scanner, which checks executable surfaces (hooks, scripts, MCP configs, dependencies) against known-dangerous patterns.
We may be wrong — false positives happen. If any finding is intentional or already mitigated, please close this issue. If a finding is genuine and you'd like a fix PR, let us know.
Full audit report: https://github.com/xiaolai/nlpm-for-claude/blob/main/auditor/audits/refly-ai-refly.md