AI Security Review
scanned 2h ago · by lpm-firewall-aiThe package is a user-invoked microsandbox management service. It contains shell command injection risk in API-reachable msb CLI wrappers, but no evidence of intentional malware or install-time compromise.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs lattice-microsandbox-service and an API caller supplies crafted image ref or sandbox name.
Impact
Potential host command execution in the service process context if exposed to untrusted callers.
Mechanism
unsanitized string interpolation into child_process.exec shell commands
Rationale
Static source inspection found a real API-reachable shell injection risk, so this should not be marked clean. There is no lifecycle hook, stealth persistence, exfiltration, or unconsented AI-agent control mutation indicating malicious package intent.
Evidence
package.jsonsrc/cli.tssrc/server.tssrc/app.tssrc/services/ImageService.tssrc/services/MicrosandboxRuntimeService.tssrc/services/SandboxRegistry.tssrc/controllers/volume-fs.tssrc/schemas/sandbox.ts/proc/net/unix/root/.microsandbox/run/agent~/.microsandbox/bin/msb~/.microsandbox/volumes
Network endpoints1
localhost:4002
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
- src/services/ImageService.ts uses execAsync with shell-interpolated image refs for msb image pull/inspect/rm.
- src/services/MicrosandboxRuntimeService.ts readMsbInspect interpolates sandbox name into execAsync shell command.
- src/server.ts binds default host to 0.0.0.0; API key is optional via MICROSANDBOX_API_KEY.
- src/schemas/images.ts and sandbox name params do not appear to shell-escape refs/names before those exec paths.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks.
- src/cli.ts only starts the Fastify service when the bin is invoked.
- No hardcoded exfiltration or C2 endpoints found; only localhost Swagger URL and user/configured OCI image refs.
- No eval/vm/Function, obfuscated payload, credential harvesting, persistence, or AI-agent control-surface mutation found.
- Sandbox file/command APIs are explicit runtime service features aligned with package purpose.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
NoLicense
Source & flagged code
1 flagged · loading sourcedist/chunk-IKWYDXRG.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @axiom-lattice/microsandbox-service@0.0.49
matchedIdentity = npm:[redacted]:0.0.49
similarity = 0.900
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/chunk-IKWYDXRG.mjsView on unpkgFindings
1 High1 Medium3 Low
HighPrevious Version Dangerous Deltadist/chunk-IKWYDXRG.mjs
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowNo License