AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Network, filesystem, package-manager, and Git-hook actions are tied to explicit CLI commands and documented package functions.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `alkahest publish`, `login`, `update`, `hook install`, `scan`, or `view`.
Impact
May save a token, upload a selected map, write `.alkahest` output, modify local Git hooks, or update this package when the user requests it.
Mechanism
Explicit CLI publishing, local analysis output, optional Git hooks, and self-update.
Rationale
The flagged primitives implement documented, user-invoked CLI capabilities rather than install-time or stealth behavior. Static inspection found no credential harvesting beyond an explicitly supplied service token and no unconsented foreign control-surface mutation.
Evidence
package.jsondist/cli.jsdist/commands/update.jsdist/commands/hook.jsdist/core/credentials.jsdist/core/publish.jsdist/core/serve.jsdist/core/version.js~/.alkahest/credentials.json~/.alkahest/update-check.json<projectRoot>/.alkahest/map.json<projectRoot>/.alkahest/index.html<projectRoot>/.git/hooks/post-commit<projectRoot>/.git/hooks/post-merge
Network endpoints2
ytcmzkrvtomtcrcyqqcb.supabase.co/functions/v1api.github.com/repos/cr8rcho/alkahest-cli/releases/latest
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/commands/update.js` explicitly runs `git pull` and `npm install` only via `alkahest update`.
- `dist/commands/hook.js` writes marked post-commit/post-merge hooks only via `alkahest hook install`.
- `dist/core/credentials.js` stores a user-provided publish token in `~/.alkahest/credentials.json`.
Evidence against
- `package.json` has no preinstall/install/postinstall hook; `prepare` only invokes the missing source build assets.
- `dist/cli.js` exposes update, hook, login, publish, and MCP behavior as explicit commands.
- `dist/core/serve.js` binds only to `127.0.0.1` and opens that printed local URL.
- `dist/core/publish.js` sends the scanned map only after explicit publish and token resolution.
- No eval, VM execution, opaque payload loading, or foreign AI-agent config writes were found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
3 flagged · loading sourcedist/core/serve.jsView file
3import { extname, resolve } from "node:path";
L4: import { spawn } from "node:child_process";
L5: import { platform } from "node:os";
High
dist/commands/update.jsView file
23console.log("[alkahest] update by reinstalling the latest from npm:");
L24: console.log(` npm install -g ${pkgName}@latest`);
L25: return;
L26: }
L27: const run = (cmd, args) => execFileSync(cmd, args, { cwd: pkgRoot, stdio: "inherit" });
L28: try {
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/commands/update.jsView on unpkg · L23dist/core/publish.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @cr8rcho/alkahest@0.1.37
matchedIdentity = npm:QGNyOHJjaG8vYWxrYWhlc3Q:0.1.37
similarity = 0.943
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/core/publish.jsView on unpkgFindings
1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/core/publish.js
HighChild Processdist/core/serve.js
HighShell
HighRuntime Package Installdist/commands/update.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings