registry  /  @adobe/helix-onedrive-cli  /  1.11.415

@adobe/helix-onedrive-cli@1.11.415

Helix OneDrive CLI

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious behavior was found in runtime source. The only non-clean control surface is the prepare lifecycle hook that invokes Husky.

Static reason
No blocking static signals were detected.
Trigger
npm prepare lifecycle during source/git installation
Impact
May alter local VCS hook configuration; no credential exfiltration, remote execution, or destructive package behavior was established.
Mechanism
Husky lifecycle invocation for VCS-hook setup
Rationale
Source inspection found no concrete malware or unconsented broad control-surface mutation. The prepare-only Husky hook warrants a non-blocking warning under policy.
Evidence
package.jsonsrc/index.jssrc/utils.jssrc/client.jssrc/onedrive.jssrc/onedrive.cmd.js

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json defines a prepare lifecycle hook: "husky".
  • The lifecycle hook can initialize VCS hooks during source/git installs.
Evidence against
  • src/index.js only runs when the 1d CLI entrypoint is invoked.
  • src/utils.js dynamically imports only packaged .js command modules from src/excel.
  • src/client.js uses Azure credentials for explicit OneDrive authentication and stores local state/cache files.
  • src/onedrive.js file reads, writes, uploads, downloads, and subscription changes are explicit CLI commands.
  • No child-process, eval/vm, shell execution, remote payload loader, or AI-agent config writes found.
Behavioral surface
Source
CryptoDynamicRequireEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 54.2 KB of source, external domains: 01fe5492.ngrok.io, adobe-my.sharepoint.com, adobeioruntime.net, github.com

Source & flagged code

1 flagged · loading source
src/utils.jsView file
19// eslint-disable-next-line no-await-in-loop L20: const cmd = (await import(path.resolve(dir, filename))).default; L21: yargs.command(cmd);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/utils.jsView on unpkg · L19

Findings

2 Medium5 Low
MediumDynamic Requiresrc/utils.js
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings