registry  /  @axiom-lattice/microsandbox-service  /  0.0.48

@axiom-lattice/microsandbox-service@0.0.48

`@axiom-lattice/microsandbox-service` runs an HTTP service for managing microsandbox-backed sandbox lifecycle operations.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious package behavior was found, but the runtime service exposes host shell command-injection risk through unsanitized values passed to execAsync. Activation requires running the service and calling affected API paths or methods.

Static reason
No blocking static signals were detected.
Trigger
Explicit CLI/server runtime API calls
Impact
Potential host command execution under the service user if attacker controls image ref or sandbox name
Mechanism
unsanitized shell interpolation in microsandbox CLI wrappers
Rationale
Static source inspection shows a package-aligned sandbox service with no install-time abuse or exfiltration, but with real unresolved host command-injection risk in runtime API paths. This warrants warning rather than blocking as malware.
Evidence
package.jsonsrc/cli.tssrc/app.tssrc/server.tssrc/services/ImageService.tssrc/services/MicrosandboxRuntimeService.tssrc/services/SandboxRegistry.tssrc/controllers/images.tssrc/controllers/sandbox.ts/proc/net/unix/root/.microsandbox/run/agent~/.microsandbox
Network endpoints1
localhost:4002

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • src/services/ImageService.ts interpolates user-controlled image ref into execAsync shell commands for pull/inspect/remove.
  • src/services/MicrosandboxRuntimeService.ts interpolates sandbox name into execAsync(`${getMsbPath()} inspect ${name} --format json`).
  • src/app.ts makes API authentication optional; routes are exposed when server is run without MICROSANDBOX_API_KEY.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • src/cli.ts only starts the Fastify service on explicit CLI execution.
  • Source behavior is package-aligned microsandbox management, not stealth install-time persistence or exfiltration.
  • No credential harvesting, reviewer prompt injection, or AI-agent control-surface mutation found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 30 file(s), 109 KB of source

Source & flagged code

3 flagged · loading source
src/services/ImageService.tsView file
Published source reference
Medium
Ai Review Evidence

src/services/ImageService.ts interpolates user-controlled image ref into execAsync shell commands for pull/inspect/remove.

src/services/ImageService.tsView on unpkg
src/services/MicrosandboxRuntimeService.tsView file
Published source reference
Medium
Ai Review Evidence

src/services/MicrosandboxRuntimeService.ts interpolates sandbox name into execAsync(`${getMsbPath()} inspect ${name} --format json`).

src/services/MicrosandboxRuntimeService.tsView on unpkg
src/app.tsView file
Published source reference
Medium
Ai Review Evidence

src/app.ts makes API authentication optional; routes are exposed when server is run without MICROSANDBOX_API_KEY.

src/app.tsView on unpkg

Findings

4 Medium3 Low
MediumEnvironment Vars
MediumAi Review Evidencesrc/services/ImageService.ts
MediumAi Review Evidencesrc/services/MicrosandboxRuntimeService.ts
MediumAi Review Evidencesrc/app.ts
LowScripts Present
LowFilesystem
LowNo License