registry  /  @cascateer/sterio  /  1.0.12

@cascateer/sterio@1.0.12

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a music collection/server tool that fetches Spotify/YouTube metadata, downloads media/artwork, and writes local cache/output files during explicit runtime commands.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs npm scripts such as start/serve or calls API routes/CLI functionality.
Impact
Local grant/cache/output files may be created or updated as part of intended operation; no malicious exfiltration or install-time mutation found.
Mechanism
package-aligned media metadata fetch, OAuth grant storage, and local file cache/output generation
Rationale
Static inspection shows potentially sensitive primitives only in package-aligned, user-invoked Spotify/YouTube media workflows, with no install hook or hidden exfiltration chain. The empty .env and absence of lifecycle scripts make the scanner hints non-blocking.
Evidence
package.json.envsrc/config.tssrc/Spotify.service.tssrc/Youtube.service.tssrc/YoutubeMusic.service.tssrc/tables.tssrc/main.tssrc/app.tssrc/controller.ts.env.localSPOTIFY_GRANT_PATHfiles/out/tables/
Network endpoints6
youtube.com/watch?v=music.youtube.com/playlist?list=www.youtube.com/playlist?list=open.spotify.com/intl-de/album/127.0.0.1:2700/git+https://github.com/cascateer/sterio.git

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/Spotify.service.ts reads/writes a local Spotify grant path from env and opens a browser via child_process.exec during explicit auth flow.
  • src/tables.ts fetches artwork URLs and uses ytdlp-nodejs/FFmpeg to download media when runtime table access requests it.
  • src/main.ts can remove and recreate an out directory and copy/tag audio files when run with --out.
Evidence against
  • package.json has no preinstall/install/postinstall hooks and no bin entrypoint.
  • .env is zero bytes; scanner critical_secret hint is a false positive by source inspection.
  • Network behavior is aligned with declared Spotify/YouTube/music collection functionality.
  • No evidence of credential harvesting, exfiltration endpoint, remote payload loading, persistence, or AI-agent control-surface mutation.
  • Risky operations are user-invoked runtime/server/CLI paths, not install-time or import-time execution.
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
NoLicense
scanned 67 file(s), 177 KB of source, external domains: 127.0.0.1, developer.spotify.com, music.youtube.com, open.spotify.com, www.youtube.com, youtube.com

Source & flagged code

1 flagged · loading source
patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg

Findings

1 Critical1 Medium4 Low
CriticalCritical Secret.env
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License