registry  /  @drawcall/market  /  0.1.45

@drawcall/market@0.1.45

Typed client, dependency resolver, and CLI for the [Drawcall Market](https://market.drawcall.ai) — an asset marketplace for 3D models, textures, animations, audio, environments, flipbooks, and templates.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

The package is a Drawcall Market CLI that can install marketplace assets into a project. The unresolved risk is that asset metadata can cause a user-invoked install to run npx skills add -y for declared skill dependencies, mutating agent skill surfaces non-interactively.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs market install, market generate, market preview, market login, or imports/calls the install entry point.
Impact
Could install remote or asset-shipped agent skills and project dependencies selected by marketplace asset metadata; no install-time or import-time attack behavior is present.
Mechanism
user-invoked asset download, project file writes, package manager install, and noninteractive skills CLI add
Attack narrative
A user running market install resolves assets through the Drawcall API, downloads zip files, writes their normalized contents into the project, updates package.json/.drawcall lock state, may run the package manager, and then executes npx skills add -y for any skillDependencies declared by the resolved assets. This is agent-facing and noninteractive, but it is not delivered by an npm lifecycle hook or import-time code.
Rationale
Static inspection does not show malware or unconsented lifecycle execution, but the CLI can noninteractively install agent skills from marketplace metadata during a user-invoked asset install. Treat as a warning-level dangerous capability rather than a publish block.
Evidence
package.jsondist/cli.jsdist/client.jsdist/config.jsdist/install.jsdist/commands/install.jsdist/commands/preview.jsskills/market/SKILL.mdproject package.json.drawcall/market-lock.jsondownloaded asset zip normalized pathspreview output pathdrawcall-market config.json
Network endpoints2
api.market.drawcall.ai/api/rpcauth.drawcall.ai/api/auth

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/install.js installs declared skillDependencies by running execFile('npx', ['--yes','skills','add', source, '-y']).
  • dist/install.js downloads asset zip content from the Market API and writes normalized files into the caller project, then may merge dependencies into project package.json and run package manager install.
  • skills/market/SKILL.md documents that installed assets may declare skill dependencies installed via skills add during market install.
  • dist/commands/preview.js fetches dynamic asset.previewUrl and writes the bytes to a user-selected output path.
Evidence against
  • package.json has no npm lifecycle scripts; install behavior is exposed through the user-invoked market CLI, not postinstall/import-time execution.
  • dist/install.js rejects unsafe zip paths containing .. or absolute paths before writing downloaded asset files.
  • dist/config.js stores only its own authToken/baseUrl under drawcall-market config with restrictive chmod; no broad credential harvesting was found.
  • Network hosts are package-aligned Drawcall endpoints or user/API-supplied asset preview URLs.
  • No obfuscated payload, eval/vm/Function, shell startup persistence, VCS hook writes, or AI-agent config file rewrites were found in inspected source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 54 file(s), 185 KB of source, external domains: api.market.drawcall.ai, auth.drawcall.ai, github.com

Source & flagged code

3 flagged · loading source
dist/install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @drawcall/market@0.1.44 matchedIdentity = npm:QGRyYXdjYWxsL21hcmtldA:0.1.44 similarity = 0.962 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/install.jsView on unpkg
8* L9: * NOTE: This module uses Node.js APIs (fs, path, nypm, child_process) and is L10: * only used by the CLI binary; it is NOT exported from the package index.
High
Child Process

Package source references child process execution.

dist/install.jsView on unpkg · L8
327return new Promise((resolve, reject) => { L328: execFile('npx', ['--yes', 'skills', 'add', source, '-y'], { cwd }, (error, _stdout, stderr) => { L329: if (error) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/install.jsView on unpkg · L327

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/install.js
HighChild Processdist/install.js
HighShell
HighRuntime Package Installdist/install.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License