agent-core
agent
Fail
Health Warn
- No license — Repository has no license file
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 5 GitHub stars
Code Fail
- rm -rf — Recursive force deletion command in .github/workflows/sync.yml
- child_process — Shell command execution capability in lib/binary/index.js
- fs.rmSync — Destructive file system operation in lib/binary/index.js
- os.homedir — User home directory access in lib/binary/index.js
- process.env — Environment variable access in lib/binary/index.js
- fs module — File system access in lib/binary/index.js
- fs module — File system access in lib/collectors/analyzer-queries.js
- exec() — Shell command execution in lib/collectors/codebase.js
- fs module — File system access in lib/collectors/codebase.js
- child_process — Shell command execution capability in lib/collectors/docs-patterns.js
- exec() — Shell command execution in lib/collectors/docs-patterns.js
- fs module — File system access in lib/collectors/docs-patterns.js
- exec() — Shell command execution in lib/collectors/documentation.js
- fs module — File system access in lib/collectors/documentation.js
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This tool provides shared core libraries for agent-sh plugins. Changes are automatically synced to numerous consumer repositories via CI-driven pull requests.
Security Assessment
Overall risk is High. The tool accesses the user's home directory and performs destructive file system operations (`fs.rmSync`). It also heavily relies on shell command execution via `child_process` and `exec()` across multiple files for codebase analysis and documentation collection. Additionally, a recursive force deletion command (`rm -rf`) is present in the CI workflow. While no hardcoded secrets were detected, the extensive environment variable access poses a risk of sensitive data leakage.
Quality Assessment
The repository is actively maintained, with the most recent push occurring today. However, trust indicators are very weak. It has low community visibility with only 5 GitHub stars, and it completely lacks a license file, meaning there are no clear legal terms for using, modifying, or distributing the code.
Verdict
Not recommended. The combination of aggressive file system access, extensive shell execution capabilities, and the complete absence of a licensing structure presents significant security and legal risks.
This tool provides shared core libraries for agent-sh plugins. Changes are automatically synced to numerous consumer repositories via CI-driven pull requests.
Security Assessment
Overall risk is High. The tool accesses the user's home directory and performs destructive file system operations (`fs.rmSync`). It also heavily relies on shell command execution via `child_process` and `exec()` across multiple files for codebase analysis and documentation collection. Additionally, a recursive force deletion command (`rm -rf`) is present in the CI workflow. While no hardcoded secrets were detected, the extensive environment variable access poses a risk of sensitive data leakage.
Quality Assessment
The repository is actively maintained, with the most recent push occurring today. However, trust indicators are very weak. It has low community visibility with only 5 GitHub stars, and it completely lacks a license file, meaning there are no clear legal terms for using, modifying, or distributing the code.
Verdict
Not recommended. The combination of aggressive file system access, extensive shell execution capabilities, and the complete absence of a licensing structure presents significant security and legal risks.
Shared core libraries for agent-sh plugins — synced to all repos on merge
README.md
agent-core
Shared core libraries for all agent-sh plugins. Changes here are automatically synced to consuming repos via CI-driven PRs.
Consumers
| Repo | How it receives lib/ and CLAUDE.md |
|---|---|
| agentsys | PR → merge → sync-lib propagates to bundled plugins |
| next-task | PR → merge (plugin uses lib/ directly) |
| ship | PR → merge (plugin uses lib/ directly) |
| enhance | PR → merge (plugin uses lib/ directly) |
| deslop | PR → merge (plugin uses lib/ directly) |
| learn | PR → merge (plugin uses lib/ directly) |
| consult | PR → merge (plugin uses lib/ directly) |
| debate | PR → merge (plugin uses lib/ directly) |
| drift-detect | PR → merge (plugin uses lib/ directly) |
| sync-docs | PR → merge (plugin uses lib/ directly) |
| audit-project | PR → merge (plugin uses lib/ directly) |
| perf | PR → merge (plugin uses lib/ directly) |
| web-ctl | PR → merge (plugin uses lib/ directly) |
How sync works
On merge to main, the sync workflow opens PRs in all consumer repos with the updated lib/ directory and a freshly generated CLAUDE.md (rendered from templates/CLAUDE.md.tmpl). Consumer repos review and merge at their own pace.
CLAUDE.md generation
Each consumer repo receives a generated CLAUDE.md rendered from templates/CLAUDE.md.tmpl. The generator reads package.json and optionally components.json from the target repo.
Available template variables:
{{pluginName}}- package name with@agentsys/prefix stripped{{description}}- package.json description{{#agents}}/{{#skills}}/{{#commands}}- conditional sections from components.json
To test generation locally:
node scripts/generate-claudemd.js --target ../some-plugin --template templates/CLAUDE.md.tmpl
Developing
Edit files in lib/ for library changes. Edit templates/CLAUDE.md.tmpl to change the CLAUDE.md generated for all consumer plugins. On merge, changes propagate automatically. To test locally before merging:
# Copy to a consumer repo for testing
cp -r lib/ ../agentsys/lib/
cd ../agentsys && npx agentsys-dev sync-lib && npm test
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found