registry  /  @cascateer/sterio  /  1.0.10

@cascateer/sterio@1.0.10

AI Security Review

scanned 5h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime features contact Spotify/YouTube/YouTube Music and write local media/cache/output files for a music collection tool when its server or scripts are explicitly run.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit user runtime commands such as npm run serve/start or app API calls
Impact
Expected local media/catalog generation; no install-time mutation or exfiltration identified
Mechanism
music metadata lookup, OAuth token refresh, media/artwork download, local cache/output writes
Rationale
Static inspection shows a domain-specific TypeScript music catalog/downloader with user-invoked network and filesystem behavior, and the suspicious .env secret hint is empty. There is no lifecycle hook, import-time payload, exfiltration, persistence, destructive behavior, or unauthorized AI-agent surface mutation.
Evidence
package.json.envsrc/config.tssrc/Spotify.service.tssrc/Youtube.service.tssrc/YoutubeMusic.service.tssrc/tables.tssrc/main.tssrc/app.tssrc/controller.tsSPOTIFY_GRANT_PATH from envfiles/* via @cascateer/database file tablesout/* when --out is passed
Network endpoints5
youtube.com/watchmusic.youtube.com/playlistwww.youtube.com/playlistopen.spotify.com/intl-de/album127.0.0.1:2700

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks and no bin/main auto-execution entrypoint; only ./api export.
    • .env is present but zero bytes, so the scanner secret finding is false positive.
    • src/tables.ts network/file writes are package-aligned: fetch artwork, download YouTube audio with ytdlp, write cache files under package-derived file tables.
    • src/Spotify.service.ts reads/writes a configured Spotify grant path and opens Spotify OAuth via user-triggered runtime flow, not install/import time.
    • No credential harvesting, broad filesystem scanning, exfiltration endpoint, persistence, or AI-agent control-surface writes found.
    Behavioral surface
    Source
    ChildProcessFilesystemNetworkShell
    Supply chain
    UrlStrings
    Manifest
    NoLicense
    scanned 38 file(s), 110 KB of source, external domains: 127.0.0.1, developer.spotify.com, music.youtube.com, open.spotify.com, www.youtube.com, youtube.com

    Source & flagged code

    1 flagged · loading source
    patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    .envView on unpkg

    Findings

    1 Critical1 Medium4 Low
    CriticalCritical Secret.env
    MediumNetwork
    LowScripts Present
    LowFilesystem
    LowUrl Strings
    LowNo License