registry  /  @aws/ml-container-creator  /  1.3.4

@aws/ml-container-creator@1.3.4

Build and deploy custom ML containers on AWS SageMaker with minimal configuration.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The only install-adjacent behavior is `prepare: husky || true`, which may attempt first-party VCS hook initialization in source/git installs. Runtime shell and network behavior is tied to explicit CLI operations for AWS infrastructure, MCP setup, or local project scripts; no concrete malicious chain was found.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm prepare lifecycle on source/git install or package development
Impact
Potential local Git-hook configuration; no confirmed credential exfiltration, remote payload execution, or foreign AI-agent configuration mutation.
Mechanism
Husky VCS-hook setup attempt
Rationale
Source inspection does not support a malicious verdict; the scanner’s executable-helper, network, and child-process signals are package-aligned and user-invoked. The retained `prepare` hook warrants a non-blocking warning under the lifecycle policy.
Evidence
package.jsonbin/cli.jssrc/lib/bootstrap-command-handler.jssrc/lib/mcp-command-handler.jssrc/agent/tools/execute_script.pytemplates/test/test_local_image.sh.husky/

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` defines `prepare: husky || true`, a lifecycle-triggered VCS-hook setup attempt.
  • `src/lib/bootstrap-command-handler.js` runs AWS/CDK commands only from the explicit `bootstrap` flow.
  • `src/lib/mcp-command-handler.js` can run `npm install --production` only when the user explicitly adds/initializes an MCP server.
Evidence against
  • No `preinstall`, `install`, or `postinstall` lifecycle hook is present in `package.json`.
  • `bin/cli.js` invokes the Python advisor only through the explicit `hey` command.
  • `src/agent/tools/execute_script.py` restricts execution to permitted project scripts, validates flags, uses direct execution without a shell, and prompts by default.
  • `templates/test/test_local_image.sh` only builds and probes a local Docker container.
  • No source evidence of credential harvesting, third-party exfiltration, remote payload loading, destructive behavior, or AI-agent control-surface writes.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 114 file(s), 1.44 MB of source, external domains: aws.amazon.com, awscli.amazonaws.com, docs.aws.amazon.com, docs.vllm.ai, github.com, hub.docker.com, huggingface.co, json-schema.org, ngc.nvidia.com, nvidia.github.io, onnxruntime.ai, raw.githubusercontent.com, sgl-project.github.io

Source & flagged code

6 flagged · loading source
bin/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @aws/ml-container-creator@1.1.0 matchedIdentity = npm:[redacted]:1.1.0 similarity = 0.867 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/cli.jsView on unpkg
7import { fileURLToPath } from 'url'; L8: import { spawn, execSync } from 'child_process'; L9: import { program, Option, Help } from 'commander';
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L7
src/lib/bootstrap-command-handler.jsView file
901async _validateCredentials(profile, providedRegion) { L902: const identity = this._execAws('sts get-caller-identity', profile); L903: const accountId = identity.Account;
High
Shell

Package source references shell execution.

src/lib/bootstrap-command-handler.jsView on unpkg · L901
457try { L458: execSync( L459: `npx cdk bootstrap aws://${accountId}/${region}`, L460: {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/lib/bootstrap-command-handler.jsView on unpkg · L457
templates/test/test_local_image.shView file
path = templates/test/test_local_image.sh kind = payload_in_excluded_dir sizeBytes = 2118 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

templates/test/test_local_image.shView on unpkg
path = templates/test/test_local_image.sh kind = build_helper sizeBytes = 2118 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/test/test_local_image.shView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/cli.js
HighChild Processbin/cli.js
HighShellsrc/lib/bootstrap-command-handler.js
HighRuntime Package Installsrc/lib/bootstrap-command-handler.js
HighPayload In Excluded Dirtemplates/test/test_local_image.sh
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/test/test_local_image.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings