registry  /  @doxbrix/cli  /  0.1.1

@doxbrix/cli@0.1.1

Doxbrix CLI — docs-as-code from the command line.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack surface is established. An explicit `dxb init` can add a Doxbrix authoring skill under the initialized project's `.claude/skills` directory.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `dxb init` without `--no-claude-skill`.
Impact
The new project gains agent instructions that influence future Claude Code authoring behavior; no unconsented install-time mutation or exfiltration was found.
Mechanism
Explicit first-party Claude Code skill scaffolding.
Rationale
The package is not malicious by source inspection, but its default `init` behavior writes an AI-agent skill into `.claude/skills`. Per policy this is a warn-level first-party agent extension lifecycle risk, not a publish-block event.
Evidence
package.jsondist/commands/init.jsdist/lib/claude-skill.generated.jsdist/lib/config.jsdist/lib/docs/frontmatter.jsdist/cli.js.claude/skills/doxbrix-authoring/SKILL.md.claude/skills/doxbrix-authoring/blocks-cheatsheet.md
Network endpoints1
app.doxbrix.com

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/commands/init.js` scaffolds `.claude/skills/doxbrix-authoring` during `dxb init`; the option defaults to enabled.
  • `dist/commands/init.js` writes `SKILL.md` and `blocks-cheatsheet.md` into the project agent-control directory.
  • The generated skill instructs an AI agent to use Doxbrix tooling when project markers are present.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • The agent-skill write is reached only by the explicit user command `dxb init`, not import or installation.
  • `dist/lib/claude-skill.generated.js` says not to publish or push without an explicit user request.
  • No eval, dynamic loading, shell execution, credential harvesting, or direct network API use was found; remote operations go through the package-aligned SDK.
  • `dist/lib/config.js` restricts token-bearing remote API origins to HTTPS, allowing HTTP only on loopback hosts.
  • The flagged Unicode in `dist/lib/docs/frontmatter.js` is a BOM accepted/removed by frontmatter parsing, not a bidi control-flow disguise.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 57 file(s), 232 KB of source, external domains: api.example.com, app.doxbrix.com, cdn.jsdelivr.net, codesandbox.io, fonts.googleapis.com, fonts.gstatic.com, status.example.com, youtu.be

Source & flagged code

2 flagged · loading source
dist/lib/docs/frontmatter.jsView file
8contains invisible/control Unicode U+FEFF (zero width no-break space) const FRONTMATTER_RE = /^<U+FEFF>?---\r?\n([\s\S]*?)\r?\n---\r?\n?/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/lib/docs/frontmatter.jsView on unpkg · L8
Trigger-reachable chain: manifest.bin -> dist/cli.js -> dist/commands/index.js -> dist/commands/import.js -> dist/lib/docs/frontmatter.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/lib/docs/frontmatter.jsView on unpkg

Findings

2 Critical3 Medium4 Low
CriticalTrojan Source Unicodedist/lib/docs/frontmatter.js
CriticalTrigger Reachable Dangerous Capabilitydist/lib/docs/frontmatter.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings