npm analyzed 3.9.0

claude-all-config

v3.9.0

npm

🦾 MONSTER ENGINEER v2 - Ultimate AI CLI with 63 Skills, 12 Superpowers, 14 Agents. Multi-Agent Orchestration, Cost-Aware, Security Scorecard, Parallel-First.

maintainer: zesbe
license: MIT
first seen: 2026-06-02
last seen: 2026-06-14
releases · 30d: 0
short id

Drift inferred · capture-to-capture

HIGH 2026-06-06 code analysis flagged hidden prompt content in claude-all-config

capabilities0 tools

transport stdio · http counts 0 tools · 0 res · 0 prompts permission surface via code analysis

no tools enumerated yet for this server.

skills & danger signalsnpm-tarball

prompt-surface shipped agent-instruction files + hidden-content / dangerous-code findings — quoted from the analyzed source

analyzed v3.9.0 · analyzer v17 · 1d ago

skills & prompt files 94

⚠ hidden: skill: skill-exfilpackage/skills/telegram-alerts/SKILL.md:62secret→sink: ### Via Telegram Bot API Direct

code evidencev3.9.0 · npm-tarball

evidence-backed findings quoted directly from the published source artifact — not inferred

filesystem 15

fs package/bin/mcp-install.js :3 const fs = require('fs');
fs package/bin/skills-cli.js :17 const fs = require('fs');
fs package/index.js :23 const fs = require('fs');
fs package/lib/skill-hooks.js :13 const fs = require('fs');
fs package/lib/skills-core.js :1 import fs from 'fs';
fs package/postinstall.js :7 const fs = require('fs');
fs package/skills/performance-optimization/profiling/profile.template.js :2 const fs = require('fs');
fs package/tmux/bin/tmux-setup.js :3 const fs = require('fs');
fs package/tmux/install.js :6 const fs = require('fs');
fs package/utils/config.js :7 const fs = require('fs');
fs package/utils/custom-claude-lib.js :8 const fs = require('fs').promises;
fs package/utils/install-superpowers.js :8 const fs = require('fs');
fs package/utils/install.js :8 const fs = require('fs');
fs package/utils/postinstall.js :7 const fs = require('fs');
fs package/utils/uninstall-superpowers.js :8 const fs = require('fs');

shell / exec 9

shell package/bin/skills-cli.js :19 const { execSync } = require('child_process');
shell package/lib/skill-hooks.js :15 const { execSync } = require('child_process');
shell package/lib/skills-core.js :3 import { execSync } from 'child_process';
shell package/postinstall.js :9 const { execSync } = require('child_process');
shell package/tmux/bin/tmux-setup.js :6 const { execSync } = require('child_process');
shell package/utils/custom-claude-lib.js :130 const { exec } = require('child_process');
shell package/utils/install-superpowers.js :11 const { execSync } = require('child_process');
shell package/utils/install.js :10 const { execSync } = require('child_process');
shell package/utils/postinstall.js :9 const { execSync } = require('child_process');

network 3

net package/bin/mcp-install.js :2 const https = require('https');
net package/skills/playwright-pro/integrations/browserstack-mcp/src/client.ts :36 const response = await fetch(url, options);
net package/skills/playwright-pro/integrations/testrail-mcp/src/client.ts :40 const response = await fetch(url, options);

secrets 2

secrets package/skills/playwright-pro/integrations/browserstack-mcp/src/index.ts :13 accessKey: process.env.BROWSERSTACK_ACCESS_KEY ?? '',
secrets package/skills/playwright-pro/integrations/testrail-mcp/src/index.ts :14 apiKey: process.env.TESTRAIL_API_KEY ?? '',

install hooks 1

postinstall (suspicious) package/package.json :16 node postinstall.js || bash install.sh