registry  /  @cascateer/sterio  /  1.0.18

@cascateer/sterio@1.0.18

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a media/library tool that talks to Spotify, YouTube, and Google APIs and writes local cache/output files only when its app or scripts are run.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit user execution of npm scripts such as start or serve, or API calls to the local Express app.
Impact
User-authorized local media collection processing; no unconsented install-time behavior found.
Mechanism
package-aligned media metadata lookup, OAuth grant storage, artwork/audio download, and HTML/audio output generation
Rationale
Static source inspection found suspicious primitives, but they are aligned with the package's Spotify/YouTube media-management purpose and are activated by explicit runtime use, not installation. No concrete malicious chain or unconsented mutation/exfiltration behavior was present.
Evidence
package.json.envsrc/config.tssrc/Spotify.service.tssrc/Youtube.service.tssrc/YoutubeMusic.service.tssrc/tables.tssrc/main.tssrc/app.tssrc/controller.ts
Network endpoints5
127.0.0.1:2700youtube.com/watch?v=music.youtube.com/playlist?list=www.youtube.com/playlist?list=open.spotify.com/intl-de/album/

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • .env is bundled and config.ts loads .env.local/.env, but values are used for Spotify/Youtube API configuration.
  • src/Spotify.service.ts uses child_process.exec to open a Spotify auth URL when authorization is requested.
  • src/tables.ts can fetch artwork URLs and use ytdlp-nodejs to download audio streams during user-invoked album processing.
Evidence against
  • package.json has no preinstall/install/postinstall hooks and no bin entrypoint.
  • Exports only ./api to generated client code; runtime scripts are explicit npm scripts.
  • Network use is package-aligned: Spotify, YouTube/Google APIs, YouTube media/artwork, local Express server.
  • No source evidence of credential harvesting, broad filesystem scanning, exfiltration, persistence, or AI-agent control-surface writes.
  • File writes are local app data/cache/output/grant paths tied to media/library functionality.
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
NoLicense
scanned 80 file(s), 205 KB of source, external domains: 127.0.0.1, developer.spotify.com, music.youtube.com, open.spotify.com, www.youtube.com, youtube.com

Source & flagged code

1 flagged · loading source
patternName = blocked_file severity = critical matchedText = .env redactedSecretContext = secretLikeLines = 0 notes = no secret-like key/value lines found in sampled text
Critical
Critical Secret

Package contains a critical-looking secret pattern.

.envView on unpkg

Findings

1 Critical1 Medium4 Low
CriticalCritical Secret.env
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License