registry  /  @caplets/core  /  0.34.0

@caplets/core@0.34.0

Core runtime library for Caplets Code Mode and progressive disclosure gateways.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `caplets setup` or approves and runs configured Caplet setup.
Impact
Can alter selected local AI-agent/MCP configuration and run configured setup commands; no unconsented trigger was found.
Mechanism
Explicit agent-config mutation and approved command execution.
Rationale
The scanner’s process, listener, network, and dynamic-code signals map to declared runtime/CLI features and bundled dependencies, not an automatic malicious chain. Flag as warn because the package deliberately modifies AI-agent integration configuration through an explicit setup command.
Evidence
package.jsondist/index.jsdist/setup/runner.d.ts
Network endpoints3
catalog.caplets.dev/api/v1/catalog/install-signalsregistry.npmjs.org/capletscloud.caplets.dev

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` exposes `caplets setup` for Codex, Claude Code, OpenCode, Pi, and MCP clients.
  • Explicit setup calls `upsertServer` to modify a selected MCP client configuration.
  • `dist/index.js` can execute configured Caplet setup commands with inherited environment variables.
Evidence against
  • `package.json` contains no preinstall, install, postinstall, or other lifecycle hook.
  • Entrypoint inspection shows no top-level call that starts a daemon, server, setup, or child process on import.
  • Agent configuration mutation is behind the explicit `caplets setup` CLI command.
  • Setup command execution uses `shell: false`, timeouts, output limits, and secret redaction.
  • Network URLs are Caplets catalog/cloud and npm update-check endpoints, consistent with package functionality.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 3.59 MB of source, external domains: 127.0.0.1, base-ui.com, caplets.dev, caplets.example.com, catalog.caplets.dev, cloud.caplets.dev, developer.mozilla.org, eu-assets.i.posthog.com, eu.i.posthog.com, github.com, json-schema.org, posthog.com, raw.githubusercontent.com, react.dev, registry.npmjs.org, schemas.microsoft.com, sentry.io, us-assets.i.posthog.com, us.i.posthog.com, www.apple.com, www.cl.cam.ac.uk, www.cloudflare.com, www.w3.org, yandex.com
Oversized source lightweight scan
dist/user-settings-CgxB92KJ.js2.78 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStringscloud.caplets.devschemas.microsoft.comwww.apple.com

Source & flagged code

9 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @caplets/core@0.32.1 matchedIdentity = npm:QGNhcGxldHMvY29yZQ:0.32.1 similarity = 0.783 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
18import path, { basename, dirname, isAbsolute, join, normalize, parse, posix, relative, resolve, sep, win32 } from "node:path"; L19: import childProcess, { execFile, execFileSync, spawn } from "node:child_process"; L20: import process$1, { stdin, stdout } from "node:process";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L18
4216if (process$1.versions?.electron) parseOptions.from = "electron"; L4217: const execArgv = process$1.execArgv ?? []; L4218: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) parseOptions.from = "eval";
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L4216
18Cross-file remote execution chain: dist/index.js spawns dist/schemas-BAO61JRY.js; helper contains network access plus dynamic code execution. L18: import path, { basename, dirname, isAbsolute, join, normalize, parse, posix, relative, resolve, sep, win32 } from "node:path"; L19: import childProcess, { execFile, execFileSync, spawn } from "node:child_process"; L20: import process$1, { stdin, stdout } from "node:process"; L21: import { Readable, Writable } from "node:stream"; L22: import { STATUS_CODES, createServer } from "node:http"; L23: import { createHash, randomBytes, randomUUID, timingSafeEqual } from "node:crypto"; ... L182: else if (format === "cidr-v6") stringSchema = stringSchema.check(z.cidrv6()); L183: else if (format === "base64") stringSchema = stringSchema.check(z.base64()); L184: else if (format === "base64url") stringSchema = stringSchema.check(z.base64url()); ... L1938: this.writeErr = options.writeErr ?? ((value) => { L1939: process.stderr.write(value); L1940: });
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L18
18Detached bundled service listener: dist/index.js launches a Node helper and exposes a broad-bound HTTP listener. L18: import path, { basename, dirname, isAbsolute, join, normalize, parse, posix, relative, resolve, sep, win32 } from "node:path"; L19: import childProcess, { execFile, execFileSync, spawn } from "node:child_process"; L20: import process$1, { stdin, stdout } from "node:process"; L21: import { Readable, Writable } from "node:stream"; L22: import { STATUS_CODES, createServer } from "node:http"; L23: import { createHash, randomBytes, randomUUID, timingSafeEqual } from "node:crypto"; ... L182: else if (format === "cidr-v6") stringSchema = stringSchema.check(z.cidrv6()); L183: else if (format === "base64") stringSchema = stringSchema.check(z.base64()); L184: else if (format === "base64url") stringSchema = stringSchema.check(z.base64url()); ... L1938: this.writeErr = options.writeErr ?? ((value) => { L1939: process.stderr.write(value); L1940: });
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/index.jsView on unpkg · L18
20599patternName = generic_password severity = medium line = 20599 matchedText = password...ed]"
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.jsView on unpkg · L20599
2634* https://www.typescriptlang.org/docs/handbook/jsdoc-supported-types.html#import-types L2635: * @typedef { import("./argument.js").Argument } Argument L2636: * @typedef { import("./command.js").Command } Command
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L2634
dist/completion-R9xY83Pe.jsView file
4103try { L4104: const utilInspect = eval("require('util').inspect"); L4105: _custom = utilInspect.custom;
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/completion-R9xY83Pe.jsView on unpkg · L4103
dist/user-settings-CgxB92KJ.jsView file
path = dist/user-settings-CgxB92KJ.js kind = oversized_source_file sizeBytes = 2919655 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/user-settings-CgxB92KJ.jsView on unpkg

Findings

1 Critical5 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
HighCross File Remote Execution Contextdist/index.js
HighSpawned Bundled Service Listenerdist/index.js
HighOversized Source Filedist/user-settings-CgxB92KJ.js
MediumSecret Patterndist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/completion-R9xY83Pe.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings