registry  /  @aws/ml-container-creator  /  1.1.0

@aws/ml-container-creator@1.1.0

Build and deploy custom ML containers on AWS SageMaker with minimal configuration.

AI Security Review

scanned 13d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Suspicious primitives are user-invoked ML container, AWS provisioning, MCP setup, and template-generation behavior aligned with the package purpose.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the CLI or an explicit subcommand such as bootstrap, mcp init/add, secrets, or hey.
Impact
Can create project files and AWS resources when explicitly invoked; no install-time or import-time malware behavior found.
Mechanism
User-directed project generation, AWS CLI orchestration, bundled MCP registration, and local template scripts.
Rationale
Static source inspection found powerful CLI operations, but they are explicit package-aligned workflows rather than hidden install/import behavior. The odd self-dependency and missing main are packaging quality risks, not proof of malware.
Evidence
package.jsonbin/cli.jssrc/app.jssrc/lib/bootstrap-command-handler.jssrc/lib/mcp-command-handler.jssrc/lib/secrets-command-handler.jstemplates/test/test_local_image.sh

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json declares self-dependency "@aws/ml-container-creator": "^1.0.2", an unusual packaging issue.
  • package.json main points to missing src/index.js, but CLI bin uses bin/cli.js.
  • src/lib/mcp-command-handler.js can run npm install --production for bundled MCP servers, only after user invokes mcp add/init.
Evidence against
  • package.json has no preinstall/install/postinstall hook; prepare is only "husky || true".
  • bin/cli.js only dispatches user-invoked commands and runs python3 for the explicit hey advisor command.
  • src/app.js writes generated ML project templates to user-selected destination, with guard against overwriting the generator package.
  • src/lib/bootstrap-command-handler.js AWS/npx/ npm commands are tied to explicit bootstrap/CI provisioning actions.
  • templates/test/test_local_image.sh is a Docker/curl local test template, not install/import executed.
  • No credential harvesting or exfiltration logic found in inspected entrypoints.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 106 file(s), 1.33 MB of source, external domains: aws.amazon.com, awscli.amazonaws.com, console.aws.amazon.com, docs.aws.amazon.com, docs.vllm.ai, github.com, hub.docker.com, huggingface.co, json-schema.org, ngc.nvidia.com, nvidia.github.io, onnxruntime.ai, raw.githubusercontent.com, sgl-project.github.io

Source & flagged code

6 flagged · loading source
bin/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @aws/ml-container-creator@1.0.4 matchedIdentity = npm:[redacted]:1.0.4 similarity = 0.971 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/cli.jsView on unpkg
7import { fileURLToPath } from 'url'; L8: import { spawn, execSync } from 'child_process'; L9: import { program, Option, Help } from 'commander';
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L7
src/lib/bootstrap-command-handler.jsView file
244try { L245: const existingStacks = this._execAws( L246: `cloudformation list-stacks --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE UPDATE_ROLLBACK_COMPLETE --query "StackSummaries[?starts_with(StackName,'${STACK_NAME_PREFIX}-')]....
High
Shell

Package source references shell execution.

src/lib/bootstrap-command-handler.jsView on unpkg · L244
416try { L417: execSync( L418: `npx cdk bootstrap aws://${profileData.accountId}/${profileData.awsRegion}`, L419: {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/lib/bootstrap-command-handler.jsView on unpkg · L416
templates/test/test_local_image.shView file
path = templates/test/test_local_image.sh kind = payload_in_excluded_dir sizeBytes = 2118 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

templates/test/test_local_image.shView on unpkg
path = templates/test/test_local_image.sh kind = build_helper sizeBytes = 2118 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/test/test_local_image.shView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/cli.js
HighChild Processbin/cli.js
HighShellsrc/lib/bootstrap-command-handler.js
HighRuntime Package Installsrc/lib/bootstrap-command-handler.js
HighPayload In Excluded Dirtemplates/test/test_local_image.sh
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/test/test_local_image.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings