@lythos/skill-arena
Skill Arena — benchmark skill effectiveness with controlled-variable comparison
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:zod-to-json-schema | AI (phantom-deps): Likely used transitively via zod integration; stable false positive for this package. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Standard subprocess spawn pattern passing current env; not exfiltration. | ai |
Versions (showing 51 of 55)
| Version | Deps | Published |
|---|---|---|
| 0.16.0 | 5 / 0 | |
| 0.15.7 | 5 / 0 | |
| 0.15.6 | 5 / 0 | |
| 0.15.5 | 5 / 0 | |
| 0.15.3 | 5 / 0 | |
| 0.15.2 | 5 / 0 | |
| 0.15.1 | 5 / 0 | |
| 0.15.0 | 5 / 0 | |
| 0.14.6 | 5 / 0 | |
| 0.14.5 | 5 / 0 | |
| 0.14.4 | 5 / 0 | |
| 0.14.3 | 5 / 0 | |
| 0.14.2 | 5 / 0 | |
| 0.14.1 | 5 / 0 | |
| 0.14.0 | 5 / 0 | |
| 0.13.3 | 5 / 0 | |
| 0.13.2 | 5 / 0 | |
| 0.13.1 | 5 / 0 | |
| 0.13.0 | 5 / 0 | |
| 0.12.0 | 5 / 0 | |
| 0.11.2 | 5 / 0 | |
| 0.11.1 | 5 / 0 | |
| 0.11.0 | 5 / 0 | |
| 0.10.0 | 4 / 0 | |
| 0.9.23 | 3 / 0 | |
| 0.9.22 | 3 / 0 | |
| 0.9.21 | 3 / 0 | |
| 0.9.20 | 3 / 0 | |
| 0.9.19 | 3 / 0 | |
| 0.9.18 | 2 / 0 | |
| 0.9.17 | 2 / 0 | |
| 0.9.16 | 2 / 0 | |
| 0.9.15 | 2 / 0 | |
| 0.9.14 | 2 / 0 | |
| 0.9.13 | 2 / 0 | |
| 0.9.12 | 2 / 0 | |
| 0.9.11 | 2 / 0 | |
| 0.9.10 | 2 / 0 | |
| 0.9.9 | 2 / 0 | |
| 0.9.8 | 2 / 0 | |
| 0.9.7 | 2 / 0 | |
| 0.9.6 | 2 / 0 | |
| 0.9.3 | 2 / 0 | |
| 0.9.2 | 2 / 0 | |
| 0.9.1 | 0 / 0 | |
| 0.9.0 | 0 / 0 | |
| 0.7.2 | 0 / 0 | |
| 0.7.0 | 0 / 0 | |
| 0.6.2 | 0 / 0 | |
| 0.6.1 | 0 / 0 | |
| 0.6.0 | 0 / 0 |
v0.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.3
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/e8a03b8560ca84f30d9e4b5c411053b15a2ce22d/src/cli.ts#L295 293 | : ['bunx', '@lythos/skill-deck', 'link'] 294 | const linkProc = Bun.spawn(linkCmd, > 295 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 296 | ) 297 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/e8a03b8560ca84f30d9e4b5c411053b15a2ce22d/src/cli.ts#L503 501 | : ['bunx', '@lythos/skill-deck', 'link'] 502 | const linkProc = Bun.spawn(linkCmd, > 503 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 504 | ) 505 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/e8a03b8560ca84f30d9e4b5c411053b15a2ce22d/src/runner.ts#L193 191 | const linkProc = Bun.spawn( 192 | ['bunx', '@lythos/skill-deck', 'link'], > 193 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 194 | ) 195 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.2
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/b5b4c2b9a8773ee7befe76b36ce1e3bbc79e663b/src/cli.ts#L295 293 | : ['bunx', '@lythos/skill-deck', 'link'] 294 | const linkProc = Bun.spawn(linkCmd, > 295 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 296 | ) 297 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/b5b4c2b9a8773ee7befe76b36ce1e3bbc79e663b/src/cli.ts#L503 501 | : ['bunx', '@lythos/skill-deck', 'link'] 502 | const linkProc = Bun.spawn(linkCmd, > 503 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 504 | ) 505 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/b5b4c2b9a8773ee7befe76b36ce1e3bbc79e663b/src/runner.ts#L193 191 | const linkProc = Bun.spawn( 192 | ['bunx', '@lythos/skill-deck', 'link'], > 193 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 194 | ) 195 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.1
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/2abe879eb2e37b3c8bb0dbddd1b0cac3cf2373a2/src/cli.ts#L295 293 | : ['bunx', '@lythos/skill-deck', 'link'] 294 | const linkProc = Bun.spawn(linkCmd, > 295 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 296 | ) 297 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/2abe879eb2e37b3c8bb0dbddd1b0cac3cf2373a2/src/cli.ts#L503 501 | : ['bunx', '@lythos/skill-deck', 'link'] 502 | const linkProc = Bun.spawn(linkCmd, > 503 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 504 | ) 505 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/2abe879eb2e37b3c8bb0dbddd1b0cac3cf2373a2/src/runner.ts#L193 191 | const linkProc = Bun.spawn( 192 | ['bunx', '@lythos/skill-deck', 'link'], > 193 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 194 | ) 195 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/fcba222cbd680f802549351e3c283e2a505a9feb/src/cli.ts#L295 293 | : ['bunx', '@lythos/skill-deck', 'link'] 294 | const linkProc = Bun.spawn(linkCmd, > 295 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 296 | ) 297 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/fcba222cbd680f802549351e3c283e2a505a9feb/src/cli.ts#L503 501 | : ['bunx', '@lythos/skill-deck', 'link'] 502 | const linkProc = Bun.spawn(linkCmd, > 503 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 504 | ) 505 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/fcba222cbd680f802549351e3c283e2a505a9feb/src/runner.ts#L193 191 | const linkProc = Bun.spawn( 192 | ['bunx', '@lythos/skill-deck', 'link'], > 193 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 194 | ) 195 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.6
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/df5cc2fbd30865437f25eeb33ff585729b96f81c/src/cli.ts#L295 293 | : ['bunx', '@lythos/skill-deck', 'link'] 294 | const linkProc = Bun.spawn(linkCmd, > 295 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 296 | ) 297 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/df5cc2fbd30865437f25eeb33ff585729b96f81c/src/cli.ts#L503 501 | : ['bunx', '@lythos/skill-deck', 'link'] 502 | const linkProc = Bun.spawn(linkCmd, > 503 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 504 | ) 505 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/df5cc2fbd30865437f25eeb33ff585729b96f81c/src/runner.ts#L193 191 | const linkProc = Bun.spawn( 192 | ['bunx', '@lythos/skill-deck', 'link'], > 193 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 194 | ) 195 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.5
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/053e79419b273e0af9a3dae69b90ba0dedeb5ec3/src/cli.ts#L295 293 | : ['bunx', '@lythos/skill-deck', 'link'] 294 | const linkProc = Bun.spawn(linkCmd, > 295 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 296 | ) 297 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/053e79419b273e0af9a3dae69b90ba0dedeb5ec3/src/cli.ts#L503 501 | : ['bunx', '@lythos/skill-deck', 'link'] 502 | const linkProc = Bun.spawn(linkCmd, > 503 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 504 | ) 505 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/053e79419b273e0af9a3dae69b90ba0dedeb5ec3/src/runner.ts#L193 191 | const linkProc = Bun.spawn( 192 | ['bunx', '@lythos/skill-deck', 'link'], > 193 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 194 | ) 195 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.4
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/7f2a87d01aec0c5066da82e15a10cf942f472388/src/cli.ts#L295 293 | : ['bunx', '@lythos/skill-deck', 'link'] 294 | const linkProc = Bun.spawn(linkCmd, > 295 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 296 | ) 297 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/7f2a87d01aec0c5066da82e15a10cf942f472388/src/cli.ts#L503 501 | : ['bunx', '@lythos/skill-deck', 'link'] 502 | const linkProc = Bun.spawn(linkCmd, > 503 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 504 | ) 505 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/7f2a87d01aec0c5066da82e15a10cf942f472388/src/runner.ts#L193 191 | const linkProc = Bun.spawn( 192 | ['bunx', '@lythos/skill-deck', 'link'], > 193 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 194 | ) 195 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.3
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/a6e8e0e9e7279c990008d85b2c9fdb8cafaa81ad/src/cli.ts#L295 293 | : ['bunx', '@lythos/skill-deck', 'link'] 294 | const linkProc = Bun.spawn(linkCmd, > 295 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 296 | ) 297 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/a6e8e0e9e7279c990008d85b2c9fdb8cafaa81ad/src/cli.ts#L503 501 | : ['bunx', '@lythos/skill-deck', 'link'] 502 | const linkProc = Bun.spawn(linkCmd, > 503 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 504 | ) 505 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/a6e8e0e9e7279c990008d85b2c9fdb8cafaa81ad/src/runner.ts#L191 189 | const linkProc = Bun.spawn( 190 | ['bunx', '@lythos/skill-deck', 'link'], > 191 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 192 | ) 193 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.2
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/d66b0d9a31e6cac0f83922f4a53679ce24598e2e/src/cli.ts#L295 293 | : ['bunx', '@lythos/skill-deck', 'link'] 294 | const linkProc = Bun.spawn(linkCmd, > 295 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 296 | ) 297 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/d66b0d9a31e6cac0f83922f4a53679ce24598e2e/src/cli.ts#L503 501 | : ['bunx', '@lythos/skill-deck', 'link'] 502 | const linkProc = Bun.spawn(linkCmd, > 503 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 504 | ) 505 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/d66b0d9a31e6cac0f83922f4a53679ce24598e2e/src/runner.ts#L191 189 | const linkProc = Bun.spawn( 190 | ['bunx', '@lythos/skill-deck', 'link'], > 191 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 192 | ) 193 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.1
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/85357c1690bfc4846a92832a2ddf5854dde25a4a/src/cli.ts#L295 293 | : ['bunx', '@lythos/skill-deck', 'link'] 294 | const linkProc = Bun.spawn(linkCmd, > 295 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 296 | ) 297 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/85357c1690bfc4846a92832a2ddf5854dde25a4a/src/cli.ts#L503 501 | : ['bunx', '@lythos/skill-deck', 'link'] 502 | const linkProc = Bun.spawn(linkCmd, > 503 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 504 | ) 505 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/85357c1690bfc4846a92832a2ddf5854dde25a4a/src/runner.ts#L191 189 | const linkProc = Bun.spawn( 190 | ['bunx', '@lythos/skill-deck', 'link'], > 191 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 192 | ) 193 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.0
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/259d3a1a94873a7111f28b1d9574820eb6c38a82/src/cli.ts#L295 293 | : ['bunx', '@lythos/skill-deck', 'link'] 294 | const linkProc = Bun.spawn(linkCmd, > 295 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 296 | ) 297 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/259d3a1a94873a7111f28b1d9574820eb6c38a82/src/cli.ts#L504 502 | : ['bunx', '@lythos/skill-deck', 'link'] 503 | const linkProc = Bun.spawn(linkCmd, > 504 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 505 | ) 506 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/259d3a1a94873a7111f28b1d9574820eb6c38a82/src/runner.ts#L191 189 | const linkProc = Bun.spawn( 190 | ['bunx', '@lythos/skill-deck', 'link'], > 191 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 192 | ) 193 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.3
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/be1c3ce84a8bb5068514fc964e49ba766ef61626/src/cli.ts#L291 289 | : ['bunx', '@lythos/skill-deck', 'link'] 290 | const linkProc = Bun.spawn(linkCmd, > 291 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 292 | ) 293 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/be1c3ce84a8bb5068514fc964e49ba766ef61626/src/runner.ts#L191 189 | const linkProc = Bun.spawn( 190 | ['bunx', '@lythos/skill-deck', 'link'], > 191 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 192 | ) 193 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.2
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/0168944025728850a5600ecaab2844ac6a8cfba1/src/cli.ts#L291 289 | : ['bunx', '@lythos/skill-deck', 'link'] 290 | const linkProc = Bun.spawn(linkCmd, > 291 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 292 | ) 293 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/0168944025728850a5600ecaab2844ac6a8cfba1/src/runner.ts#L191 189 | const linkProc = Bun.spawn( 190 | ['bunx', '@lythos/skill-deck', 'link'], > 191 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 192 | ) 193 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.1
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/b5ca149d96348d7072f79892bea475ab43d08f87/src/cli.ts#L283 281 | : ['bunx', '@lythos/skill-deck', 'link'] 282 | const linkProc = Bun.spawn(linkCmd, > 283 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 284 | ) 285 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/b5ca149d96348d7072f79892bea475ab43d08f87/src/runner.ts#L150 148 | const linkProc = Bun.spawn( 149 | ['bunx', '@lythos/skill-deck', 'link'], > 150 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 151 | ) 152 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.0
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/4276bb2486e9d44dcc2c1b6cf1bad3b4b983414e/src/cli.ts#L282 280 | : ['bunx', '@lythos/skill-deck', 'link'] 281 | const linkProc = Bun.spawn(linkCmd, > 282 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 283 | ) 284 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/4276bb2486e9d44dcc2c1b6cf1bad3b4b983414e/src/runner.ts#L150 148 | const linkProc = Bun.spawn( 149 | ['bunx', '@lythos/skill-deck', 'link'], > 150 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 151 | ) 152 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/3d24f6b50e23a1be102ca2a9f342607925036530/src/cli.ts#L282 280 | : ['bunx', '@lythos/skill-deck', 'link'] 281 | const linkProc = Bun.spawn(linkCmd, > 282 | { cwd: agentWorkdir, env: { ...process.env, HOME: process.env.HOME! } }, 283 | ) 284 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/3d24f6b50e23a1be102ca2a9f342607925036530/src/runner.ts#L150 148 | const linkProc = Bun.spawn( 149 | ['bunx', '@lythos/skill-deck', 'link'], > 150 | { cwd: workDir, env: { ...process.env, HOME: process.env.HOME! } }, 151 | ) 152 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.2
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/df87e4f49e1c38e41ce216bdd35c071420cd194b/src/cli.ts#L273 271 | : ['bunx', '@lythos/skill-deck', 'link'] 272 | const linkProc = Bun.spawn(linkCmd, > 273 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 274 | ) 275 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/df87e4f49e1c38e41ce216bdd35c071420cd194b/src/runner.ts#L175 173 | const linkProc = Bun.spawn( 174 | ['bunx', '@lythos/skill-deck', 'link'], > 175 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 176 | ) 177 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/e7b063ed1565121543ca5dc4ad49415b5c638726/src/cli.ts#L273 271 | : ['bunx', '@lythos/skill-deck', 'link'] 272 | const linkProc = Bun.spawn(linkCmd, > 273 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 274 | ) 275 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/e7b063ed1565121543ca5dc4ad49415b5c638726/src/runner.ts#L175 173 | const linkProc = Bun.spawn( 174 | ['bunx', '@lythos/skill-deck', 'link'], > 175 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 176 | ) 177 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/b92692abff0ea3d01468cd5f8bd64cc1f87812c4/src/cli.ts#L273 271 | : ['bunx', '@lythos/skill-deck', 'link'] 272 | const linkProc = Bun.spawn(linkCmd, > 273 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 274 | ) 275 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/b92692abff0ea3d01468cd5f8bd64cc1f87812c4/src/runner.ts#L175 173 | const linkProc = Bun.spawn( 174 | ['bunx', '@lythos/skill-deck', 'link'], > 175 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 176 | ) 177 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/3c49086dd1c1601f96855b879bfade26d34214f3/src/cli.ts#L255 253 | : ['bunx', '@lythos/skill-deck', 'link'] 254 | const linkProc = Bun.spawn(linkCmd, > 255 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 256 | ) 257 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/3c49086dd1c1601f96855b879bfade26d34214f3/src/runner.ts#L175 173 | const linkProc = Bun.spawn( 174 | ['bunx', '@lythos/skill-deck', 'link'], > 175 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 176 | ) 177 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.23
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/7a5fa8d2f35d02eddab85d794e00906787f53397/src/cli.ts#L165 163 | : ['bunx', '@lythos/skill-deck', 'link'] 164 | const linkProc = Bun.spawn(linkCmd, > 165 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 166 | ) 167 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/7a5fa8d2f35d02eddab85d794e00906787f53397/src/runner.ts#L119 117 | const linkProc = Bun.spawn( 118 | ['bunx', '@lythos/skill-deck', 'link'], > 119 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 120 | ) 121 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.22
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/2ef9d7f19e95094a6b8241789179be44bd0999d2/src/cli.ts#L156 154 | const linkProc = Bun.spawn( 155 | ['bunx', '@lythos/skill-deck', 'link'], > 156 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 157 | ) 158 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/2ef9d7f19e95094a6b8241789179be44bd0999d2/src/runner.ts#L117 115 | const linkProc = Bun.spawn( 116 | ['bunx', '@lythos/skill-deck', 'link'], > 117 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 118 | ) 119 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.21
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/3fb4142ddde39d0f4f6a5a5a2cd20e1dfee0772a/src/cli.ts#L156 154 | const linkProc = Bun.spawn( 155 | ['bunx', '@lythos/skill-deck', 'link'], > 156 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 157 | ) 158 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/3fb4142ddde39d0f4f6a5a5a2cd20e1dfee0772a/src/runner.ts#L117 115 | const linkProc = Bun.spawn( 116 | ['bunx', '@lythos/skill-deck', 'link'], > 117 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 118 | ) 119 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.20
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/ab8776cddfa2a41f5ad97620367cb7ee8d249ebf/src/cli.ts#L156 154 | const linkProc = Bun.spawn( 155 | ['bunx', '@lythos/skill-deck', 'link'], > 156 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 157 | ) 158 | await linkProc.exited
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/ab8776cddfa2a41f5ad97620367cb7ee8d249ebf/src/runner.ts#L117 115 | const linkProc = Bun.spawn( 116 | ['bunx', '@lythos/skill-deck', 'link'], > 117 | { cwd: workdir, env: { ...process.env, HOME: process.env.HOME! } }, 118 | ) 119 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.19
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/b4bcf10426da553b1848ae5943b35c1c650160ed/src/runner.ts#L118 116 | const linkProc = Bun.spawn(['bun', 'run', deckCli, 'link'], { 117 | cwd: workdir, > 118 | env: { ...process.env, HOME: process.env.HOME }, 119 | }) 120 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.18
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/5e5ab0f97eb3db96346330bf4d554cc92a57c9c6/src/runner.ts#L117 115 | const linkProc = Bun.spawn(['bun', 'run', deckCli, 'link'], { 116 | cwd: workdir, > 117 | env: { ...process.env, HOME: process.env.HOME }, 118 | }) 119 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.17
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/b71be3cdb61ec7cd44c18b16d81e1108e3cb6442/src/runner.ts#L117 115 | const linkProc = Bun.spawn(['bun', 'run', deckCli, 'link'], { 116 | cwd: workdir, > 117 | env: { ...process.env, HOME: process.env.HOME }, 118 | }) 119 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.16
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/9e4edf6d840d7ac0fb0be3a96ead4180d19cd2f8/src/runner.ts#L117 115 | const linkProc = Bun.spawn(['bun', 'run', deckCli, 'link'], { 116 | cwd: workdir, > 117 | env: { ...process.env, HOME: process.env.HOME }, 118 | }) 119 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.15
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/ae3b6944d25b43125e60ba934411ba8fca673a1c/src/runner.ts#L117 115 | const linkProc = Bun.spawn(['bun', 'run', deckCli, 'link'], { 116 | cwd: workdir, > 117 | env: { ...process.env, HOME: process.env.HOME }, 118 | }) 119 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.14
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/9b26a9fa6ecd838ab618bce469a40cfce11d8bf4/src/runner.ts#L117 115 | const linkProc = Bun.spawn(['bun', 'run', deckCli, 'link'], { 116 | cwd: workdir, > 117 | env: { ...process.env, HOME: process.env.HOME }, 118 | }) 119 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.13
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/lythos-labs/lythoskill/blob/87dd6017eacb575c301720dba55452b91b0d566c/src/runner.ts#L117 115 | const linkProc = Bun.spawn(['bun', 'run', deckCli, 'link'], { 116 | cwd: workdir, > 117 | env: { ...process.env, HOME: process.env.HOME }, 118 | }) 119 | await linkProc.exited
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.7.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.