registry  /  @ciderpress/cli  /  1.0.0-rc.8

@ciderpress/cli@1.0.0-rc.8

CLI for building and serving ciderpress documentation sites

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Dangerous primitives are user-invoked CLI behavior for documentation generation, local dev serving, git inspection, and scoped cleanup.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs ciderpress CLI commands such as setup, dev, build, serve, sync, clean, or diff.
Impact
Creates or removes project documentation artifacts under .ciderpress and may write ciderpress.config.ts/.gitignore on explicit setup.
Mechanism
documentation-site CLI file generation and local server operations
Rationale
Static inspection of the bundled source map and package files shows a normal Ciderpress documentation CLI; scanner hits map to bundled dependencies or explicit commands. There is no install-time mutation, exfiltration, persistence, or remote code execution behavior.
Evidence
package.jsondist/index.mjsdist/index.mjs.mapREADME.mdtemplates/openapi-overview.liquidtemplates/openapi-operation.liquidciderpress.config.ts.gitignore.ciderpress/<tmpdir>/ciderpress/error-*.log

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks; only bin maps ciderpress to dist/index.mjs.
    • dist/index.mjs.map shows sourceContent for a docs-site CLI with setup/dev/build/serve/sync/clean commands.
    • setup writes ciderpress.config.ts, .ciderpress/.gitignore, and generated assets only after explicit user command.
    • clean/sync removals are scoped to derived .ciderpress cache/content/dist or manifest-tracked output paths.
    • child_process use is package-aligned: git remote/status/diff and browser open helpers, no shell eval or remote payload execution.
    • No credential exfiltration or package-owned network endpoint found; URLs are docs, local dev server, or OpenAPI examples.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsFilesystem
    Supply chain
    HighEntropyStringsMinifiedObfuscatedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 402 KB of source, external domains: api.example.com, github.com, www.w3.org

    Source & flagged code

    5 flagged · loading source
    dist/index.mjsView file
    199contains invisible/control Unicode U+FEFF (zero width no-break space) `?(s++,c=0):e?c+=e.length:c++,e&&(o+=e.length),e}let ee={default(){switch(_){case` `:case`\v`:case`\f`:case` `:case`\xA0`:case`<U+FEFF>`:case`
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    dist/index.mjsView on unpkg · L199
    Trigger-reachable chain: manifest.exports -> dist/index.mjs Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/index.mjsView on unpkg
    27*/ L28: function Ca(e){if(Array.isArray(e))return e.map(e=>typeof e==`string`?e:e+``);e=e.trim();let t=0,n=null,r=null,i=null,a=[];for(let o=0;o<e.length;o++){if(n=r,r=e.charAt(o),r===` `&... L29: `);w.div(`${e}\n`)}return w.toString().replace(/\s*$/,``)};function v(e,n,r){let i=0;return Array.isArray(e)||(e=Object.values(e).map(e=>[e])),e.forEach(e=>{i=Math.max(t.stringWidt...
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/index.mjsView on unpkg · L27
    2L3: import{createRequire as e}from"node:module";import t,{basename as n,dirname as r,extname as i,isAbsolute as a,join as o,resolve as s,sep as c}from"node:path";import l,{existsSync a... L4: `)},note(e,t,r){C.note(e,t,kr(n,r))},box(e,t,n){C.box(e,t,kr(r,n))},outro(e){C.outro(e,n)},raw(e){t.write(`${e}\n`)},step(e,t){C.log.step(e,kr(n,t))},success(e,t){C.log.success(e,k... ... L27: */ L28: function Ca(e){if(Array.isArray(e))return e.map(e=>typeof e==`string`?e:e+``);e=e.trim();let t=0,n=null,r=null,i=null,a=[];for(let o=0;o<e.length;o++){if(n=r,r=e.charAt(o),r===` `&... L29: `);w.div(`${e}\n`)}return w.toString().replace(/\s*$/,``)};function v(e,n,r){let i=0;return Array.isArray(e)||(e=Object.values(e).map(e=>[e])),e.forEach(e=>{i=Math.max(t.stringWidt... ... L32: # L33: # Installation: {{app_path}} {{completion_command}} >> ~/.bashrc L34: # or {{app_path}} {{completion_command}} >> ~/.bash_profile on OSX. ... L85: `}));function $o(e,t,n,r){return new ns(e,t,n,r)}function es(e){return e.length<3}function ts(e){return e.length>3}var ns,rs=I((()=>{Ro(),fo(),Qo(),mo(),vo(),ns=class{constructor(e... L86: `)}`:``;t.fail(i(`Missing required argument: %s`,`Missing required argumen
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    dist/index.mjsView on unpkg · L2
    2L3: import{createRequire as e}from"node:module";import t,{basename as n,dirname as r,extname as i,isAbsolute as a,join as o,resolve as s,sep as c}from"node:path";import l,{existsSync a... L4: `)},note(e,t,r){C.note(e,t,kr(n,r))},box(e,t,n){C.box(e,t,kr(r,n))},outro(e){C.outro(e,n)},raw(e){t.write(`${e}\n`)},step(e,t){C.log.step(e,kr(n,t))},success(e,t){C.log.success(e,k... ... L27: */ L28: function Ca(e){if(Array.isArray(e))return e.map(e=>typeof e==`string`?e:e+``);e=e.trim();let t=0,n=null,r=null,i=null,a=[];for(let o=0;o<e.length;o++){if(n=r,r=e.charAt(o),r===` `&... L29: `);w.div(`${e}\n`)}return w.toString().replace(/\s*$/,``)};function v(e,n,r){let i=0;return Array.isArray(e)||(e=Object.values(e).map(e=>[e])),e.forEach(e=>{i=Math.max(t.stringWidt... ... L32: # L33: # Installation: {{app_path}} {{completion_command}} >> ~/.bashrc L34: # or {{app_path}} {{completion_command}} >> ~/.bash_profile on OSX. ... L85: `}));function $o(e,t,n,r){return new ns(e,t,n,r)}function es(e){return e.length<3}function ts(e){return e.length>3}var ns,rs=I((()=>{Ro(),fo(),Qo(),mo(),vo(),ns=class{constructor(e... L86: `)}`:``;t.fail(i(`Missing required argument: %s`,`Missing required argumen
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/index.mjsView on unpkg · L2

    Findings

    2 Critical4 Medium6 Low
    CriticalTrojan Source Unicodedist/index.mjs
    CriticalTrigger Reachable Dangerous Capabilitydist/index.mjs
    MediumDynamic Requiredist/index.mjs
    MediumEnvironment Vars
    MediumInstall Persistencedist/index.mjs
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowWeak Cryptodist/index.mjs
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings