registry  /  @actuate-media/cli  /  0.12.4

@actuate-media/cli@0.12.4

CLI for Actuate CMS — migrations, codegen, imports, exports, and upgrades

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Risky primitives are tied to user-invoked CMS/Prisma maintenance commands and package-aligned update/Vercel checks, with no lifecycle execution or credential exfiltration found.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit CLI subcommands such as db:status, db:init, migrate, upgrade, deploy:check --vercel, verify --url, or mcp:init.
Impact
Expected project maintenance actions; no unconsented install-time or import-time compromise identified.
Mechanism
User-invoked Prisma shell commands, project file edits, dynamic project module imports, and package-aligned HTTP checks.
Rationale
Static inspection found no lifecycle hooks, import-time payload, credential harvesting, persistence, or unaligned exfiltration; scanner hits map to expected CLI behavior. The unescaped `migrate create` shell argument is a real quality/security bug if untrusted input reaches the CLI, but it does not establish malicious package intent.
Evidence
package.jsondist/index.jsdist/commands/db-status.jsdist/utils/database.jsdist/commands/doctor.jsdist/commands/mcp.jsdist/commands/migrate.jsdist/commands/upgrade.jsdist/vercel/client.jsprisma/schema.prisma.cursor/mcp.json.vscode/mcp.json.gitignoreoutput path supplied to export command
Network endpoints4
updates.actuatecms.com/api/versionsregistry.npmjs.org/<pkg>/latestapi.vercel.comuser-supplied verify --url origin

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/commands/migrate.js interpolates user migration name into execSync command without escaping, but only in explicit `actuate migrate create <name>` use.
  • dist/commands/mcp.js writes editor MCP configs containing an API key, but only via explicit `mcp:init` and adds paths to .gitignore.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • dist/index.js only registers Commander subcommands; no import-time network, shell, or file mutation observed.
  • dist/commands/db-status.js runs `npx prisma` status/execute checks only after explicit `db:status`.
  • dist/utils/database.js dynamically imports project Prisma/cms-core modules for database access, consistent with CLI database features.
  • dist/commands/upgrade.js and update-check.js fetch Actuate/npm version metadata and do not execute returned code.
  • dist/vercel/client.js only reads Vercel env metadata using user-provided/standard Vercel token.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 52 file(s), 292 KB of source, external domains: actuatecms.dev, api.vercel.com, example.com, registry.npmjs.org, updates.actuatecms.com, vercel.com, your-site.com

Source & flagged code

4 flagged · loading source
dist/commands/db-status.jsView file
1import { execSync } from 'node:child_process'; L2: import { readFile, access } from 'node:fs/promises';
High
Child Process

Package source references child process execution.

dist/commands/db-status.jsView on unpkg · L1
80spinner.start('Checking database connection...'); L81: execSync('npx prisma db execute --stdin --schema ' + JSON.stringify(schemaPath), { L82: input: 'SELECT 1;',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/db-status.jsView on unpkg · L80
dist/utils/database.jsView file
21export async function connectProjectDatabase() { L22: const { getDB, initDB, isDBInitialized } = await import('@actuate-media/cms-core'); L23: if (isDBInitialized()) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/utils/database.jsView on unpkg · L21
dist/commands/doctor.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @actuate-media/cli@0.12.2 matchedIdentity = npm:QGFjdHVhdGUtbWVkaWEvY2xp:0.12.2 similarity = 0.923 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/commands/doctor.jsView on unpkg

Findings

1 Critical3 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/commands/doctor.js
HighChild Processdist/commands/db-status.js
HighShell
HighRuntime Package Installdist/commands/db-status.js
MediumDynamic Requiredist/utils/database.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License