
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
GoHighLevel Agentic Workspace Engine — forked from Everything Claude Code (ecc-universal)
GoHighLevel Agentic Workspace Engine — forked from Everything Claude Code.
aw-ecc is GoHighLevel's private fork of ECC. It keeps the upstream ECC engine, then layers in AW SDLC routing, GHL platform integration, repo-local defaults, and eval coverage for GoHighLevel workflows.
The current catalog exposed by this repo is:
Installing aw-ecc gives your workspace access to 28 agents, 173 skills, and 72 commands through the repo-local AW command surface plus GHL-specific skill and policy layers.
| Surface | Availability |
|---|---|
| Agents | ✅ 28 agents |
| Skills | ✅ 173 skills |
| Commands | ✅ 72 commands |
These catalog counts are validated in CI so the published docs stay aligned with the repo contents.
aw-ecc (this repo) = the engine - ECC baseline + AW SDLC routing + GHL platform integration
platform/ = the brain - GHL domain knowledge (NestJS, Vue, HighRise, multi-tenancy, events)
aw init = the glue - shallow-clone aw-ecc -> run installer -> aw link for platform/
When a developer runs aw init, the CLI:
platform/ and team namespace contentscripts/install-apply.js --target cursor --profile fullResult: the workspace gets the repo-local AW command surface plus linked GHL platform content.
The default AW delivery flow is:
/aw:plan -> define the approved technical path/aw:build -> implement approved work in thin, reversible slices/aw:test -> prove the requested QA scope with fresh evidence/aw:review -> findings, governance, and readiness decisions/aw:deploy -> perform one release action/aw:ship -> launch, rollout, rollback readiness, and release closeoutThere is also one conditional diagnostic route:
/aw:investigate -> reproduce, localize, and confirm bugs or alerts before broad fixes/aw:investigate is intentionally not part of every happy-path request.
Use it when the problem is real but the cause is still unclear, then return to /aw:build, /aw:test, or /aw:review as needed.
Compatibility entrypoints remain available during migration:
/aw:execute -> /aw:build/aw:verify -> /aw:test, /aw:review, or the smallest correct combined verification flowFor explicit end-to-end automation, the repo uses the internal aw-yolo orchestration skill instead of overloading ship.
aw-yolo starts from the first unsatisfied stage and runs only the smallest correct remaining sequence.
For the smallest newcomer-friendly path through the repo, see docs/aw-ecc-core-bundle.md.
| Change | Scope |
|---|---|
AW SDLC public-stage routing (/aw:plan, /aw:build, /aw:test, /aw:review, /aw:deploy, /aw:ship, plus conditional /aw:investigate) | commands, skills, defaults, docs |
Compatibility routing for legacy /aw:execute and /aw:verify entrypoints | commands, skills, router docs |
| GHL baseline operating standards for review, QA, frontend quality, governance, and rollout safety | defaults, references, stage skills |
| Repo-local staging and verification confidence artifacts | docs, defaults, evals |
| Rebrand and package metadata | package.json, README.md |
The repo still tracks upstream ECC, but it now carries meaningful repo-local AW SDLC behavior on top of the upstream baseline.
Each stage skill should also activate the matching GHL platform skill family by task domain:
platform-services:*platform-frontend:* plus platform-design:*platform-data:*platform-infra:*platform-sdet:*platform-review:*The namespace families let the model auto-discover GHL platform skills without hardcoding every individual name.
After the primary AW stage is selected, using-platform-skills should choose the smallest supporting platform stack.
AW stages should inherit org standards directly from the GHL baseline profiles and platform playbooks, not from ad hoc prompt prose.
That means:
The testing stack is documented in four places:
Use this mental model when reading the eval docs:
deterministic/ = contract checksrouting/ = routing checksoutcomes/ = outcome checksThis is a fork of affaan-m/everything-claude-code. To merge upstream changes:
git remote add upstream https://github.com/affaan-m/everything-claude-code.git
git fetch upstream
git merge upstream/main
# Resolve conflicts in the repo-local AW SDLC command, skill, and doc layers
git tag v1.x.0
If you have everything-claude-code installed as a Claude Code plugin, remove it before using aw-ecc.
Running both can duplicate skills, commands, and routing instructions in the IDE context.
MIT — same as upstream ECC.
FAQs
GoHighLevel Agentic Workspace Engine — forked from Everything Claude Code (ecc-universal)
The npm package aw-ecc receives a total of 40 weekly downloads. As such, aw-ecc popularity was classified as not popular.
We found that aw-ecc demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.