registry  /  @drawcall/market  /  0.1.47

@drawcall/market@0.1.47

Typed client, dependency resolver, and CLI for the [Drawcall Market](https://market.drawcall.ai) — an asset marketplace for 3D models, textures, animations, audio, environments, flipbooks, and templates.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found, but the CLI can install asset-declared agent skills non-interactively as part of an explicit asset install. This is a guarded, user-invoked marketplace capability rather than npm install-time control hijack.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `market install` or `market generate` for assets with skill/npm dependencies.
Impact
Downloaded asset files and dependencies can be added to the project; declared skills can be registered through the local skills CLI.
Mechanism
user-invoked asset installer with project writes, npm install, and `skills add` integration
Attack narrative
The suspicious behavior is concentrated in the explicit CLI install path: assets are resolved from Drawcall Market, ZIP contents are written into the project, npm dependencies may be installed, and asset-declared skill sources are passed to `npx skills add -y`. Because there are no lifecycle hooks or import-time side effects, and the skill installation is tied to documented user-invoked marketplace installs, this does not meet the block threshold for unconsented agent control hijack.
Rationale
Static inspection shows a documented marketplace CLI with network/download/install capabilities and noninteractive skill installation, but no npm lifecycle execution or covert behavior. The remaining risk is agent-extension capability abuse from asset-declared skills, best handled as a warning rather than a publish block.
Evidence
package.jsonsrc/cli.tssrc/install.tssrc/commands/install.tssrc/cli-client.tssrc/config.tssrc/skill.tsskills/market/SKILL.md.drawcall/market-lock.jsonpublic/...drawcall-market/config.json
Network endpoints2
api.market.drawcall.aiauth.drawcall.ai/api/auth

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/install.ts runs `npx --yes skills add <source> -y` for asset-declared skillDependencies during `market install`.
  • src/install.ts downloads/unzips asset ZIPs and writes contents into the target project root.
  • src/install.ts may run package manager install when downloaded assets or merged dependencies require it.
  • src/cli-client.ts reads DRAWCALL_AUTH_TOKEN and MARKET_API_URL; src/config.ts persists login tokens under drawcall-market config.
Evidence against
  • package.json has no npm lifecycle hooks; execution is via explicit `market` CLI bin or imported APIs.
  • src/install.ts rejects absolute and `..` ZIP paths before writing files.
  • src/install.ts uses execFile with fixed executable/argv, not shell interpolation.
  • Network calls are package-aligned to Drawcall Market/Auth APIs or user-supplied --api.
  • No credential harvesting, broad filesystem scanning, persistence, destructive behavior, eval/vm, or import-time execution found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 54 file(s), 189 KB of source, external domains: api.market.drawcall.ai, auth.drawcall.ai, github.com

Source & flagged code

3 flagged · loading source
dist/install.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @drawcall/market@0.1.45 matchedIdentity = npm:QGRyYXdjYWxsL21hcmtldA:0.1.45 similarity = 0.885 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/install.jsView on unpkg
8* L9: * NOTE: This module uses Node.js APIs (fs, path, nypm, child_process) and is L10: * only used by the CLI binary; it is NOT exported from the package index.
High
Child Process

Package source references child process execution.

dist/install.jsView on unpkg · L8
361return new Promise((resolve, reject) => { L362: execFile('npx', ['--yes', 'skills', 'add', source, '-y'], { cwd }, (error, _stdout, stderr) => { L363: if (error) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/install.jsView on unpkg · L361

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/install.js
HighChild Processdist/install.js
HighShell
HighRuntime Package Installdist/install.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License