@goondocks/myco MIT 11 versions

@goondocks/myco

npm Repository Homepage

Collective agent intelligence — Claude Code plugin

11

Versions

MIT

License

Yes

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

sirkirby

Keywords

mycomcpai-agentsclaude-codecodexteam-syncknowledge-graph

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:dist/chunk-6C26YFOA.js	AI (source-diff): tsup-bundled ESM chunk; createRequire/__commonJS are standard CJS interop patterns, not dropper behavior.	ai	2026/05/02
source-diff	net-exec-file:dist/server-J3AQ3YFA.js	AI (source-diff): tsup-bundled server entry; imports LLM/embedding modules consistent with declared Claude Code plugin purpose.	ai	2026/05/02
phantom-deps	phantom-dep:zod	AI (phantom-deps): Bundled by tsup; not directly imported at source level but used transitively.	ai	2026/05/02
phantom-deps	phantom-dep:yaml	AI (phantom-deps): Bundled by tsup; stable false positive for this package.	ai	2026/05/02
source-diff	net-exec-file:dist/chunk-AOMX45LH.js	AI (source-diff): tsup-bundled ESM output inlining node_modules; network calls are LLM API calls, not dropper behavior.	ai	2026/05/02
phantom-deps	phantom-dep:gray-matter	AI (phantom-deps): Bundled by tsup; stable false positive for this package.	ai	2026/05/02
phantom-deps	phantom-dep:@anthropic-ai/sdk	AI (phantom-deps): Bundled by tsup; stable false positive for this package.	ai	2026/05/02
phantom-deps	phantom-dep:chokidar	AI (phantom-deps): Bundled by tsup; stable false positive for this package.	ai	2026/05/02
source-diff	net-exec-file:dist/server-PIEPVUUH.js	AI (source-diff): Same tsup bundle pattern; server entry importing LLM/embedding modules, not malware.	ai	2026/05/02

Versions (showing 11 of 11)

Version	Deps	Published
0.2.14	8 / 6	2026-03-16
0.2.13	8 / 6	2026-03-16
0.2.12	8 / 6	2026-03-16
0.2.11	8 / 6	2026-03-16
0.2.10	8 / 6	2026-03-16
0.2.9	8 / 6	2026-03-16
0.2.8	8 / 6	2026-03-16
0.2.7	8 / 6	2026-03-16
0.2.6	8 / 6	2026-03-16
0.2.5	8 / 6	2026-03-16
0.1.0	8 / 6	2026-03-16

v0.2.14

3 findings

HIGH New file with network + code execution: dist/chunk-6C26YFOA.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/server-J3AQ3YFA.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.13

3 findings

HIGH New file with network + code execution: dist/chunk-6C26YFOA.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/server-J3AQ3YFA.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.12

3 findings

HIGH New file with network + code execution: dist/chunk-AOMX45LH.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/server-PIEPVUUH.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.11

3 findings

HIGH New file with network + code execution: dist/chunk-AOMX45LH.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/server-PIEPVUUH.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.10

3 findings

HIGH New file with network + code execution: dist/chunk-AOMX45LH.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/server-PIEPVUUH.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.9

3 findings

HIGH New file with network + code execution: dist/chunk-AOMX45LH.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/server-PIEPVUUH.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.8

3 findings

HIGH New file with network + code execution: dist/chunk-AOMX45LH.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: dist/server-PIEPVUUH.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.