registry  /  @coreframe/scripts  /  0.1.17

@coreframe/scripts@0.1.17

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `coreframe upgrade check-skill-current --apply` or enables managed development and requests a generated commit message.
Impact
Can alter the behavior of the project-local Coreframe upgrade skill; no unconsented install-time mutation is established.
Mechanism
Explicit project-local AI skill replacement and user-invoked Codex subprocess.
Rationale
No concrete malicious installation, stealth persistence, credential exfiltration, or remote payload chain was found. The explicit agent-skill mutation is a real capability that merits a warning under the firewall policy.
Evidence
package.jsondist/coreframe.jsdist/upgrade/check-skill-current.jsdist/managed-dev.jsdist/dev.js.agents/skills/coreframe-upgrade/SKILL.md.git/coreframe-managed-dev.lock.git/coreframe-managed-dev/

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/upgrade/check-skill-current.js` writes `.agents/skills/coreframe-upgrade/SKILL.md` when `apply` is true.
  • `dist/coreframe.js` exposes this mutation as `coreframe upgrade check-skill-current --apply`.
  • `dist/managed-dev.js` invokes `codex exec` with working-tree content to generate a commit message during managed development.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • The agent-skill write is an explicit, documented `--apply` command, not install-time behavior.
  • The Codex subprocess uses `--ephemeral`, `--ignore-user-config`, and `--sandbox read-only`.
  • No package code writes broad home-directory or foreign AI-agent configuration paths.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 41 file(s), 107 KB of source, external domains: 127.0.0.1, api.cloudflare.com, github.com

Source & flagged code

2 flagged · loading source
dist/managed-dev.jsView file
1import{managedDevTokenEnv as e,managedDevUrlEnv as t}from"./managed-dev-protocol.js";import{createRequire as n}from"node:module";import{createHash as r,randomBytes as i}from"node:c... L2: `),fingerprint:o.digest(`hex`),tracked:t.length>0,untracked:a}}async function ae(e,t,n){let{stdout:r}=await m(`codex`,[`exec`,`--ephemeral`,`--ignore-user-config`,`--sandbox`,`read...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/managed-dev.jsView on unpkg · L1
dist/deploy.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @coreframe/scripts@0.1.16 matchedIdentity = npm:QGNvcmVmcmFtZS9zY3JpcHRz:0.1.16 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/deploy.jsView on unpkg

Findings

1 High3 Medium5 Low
HighPrevious Version Dangerous Deltadist/deploy.js
MediumDynamic Requiredist/managed-dev.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License