AI Security Review
scanned 3h ago · by lpm-firewall-aiA user-invoked template initialization can execute template-provided shell commands. A remote or imported template may also receive values read from nearby `.env` files and run its post-config tasks.
Static reason
No blocking static signals were detected.
Trigger
User or automation runs `pt init` on a template, especially with `--yes`; remote template ingestion requires confirmation or `--allow-untrusted`.
Impact
Arbitrary command execution in the chosen destination; malicious templates could misuse locally sourced variable values.
Mechanism
Template-controlled shell-script generation and `execSync` execution.
Rationale
Source inspection found no install-time behavior or concrete package-owned malicious payload. However, its explicit template workflow provides a real arbitrary-command execution path with limited safeguards and automatic local `.env` variable ingestion.
Evidence
package.jsonsrc/commands/initCommand.tssrc/remote.tssrc/safety.tssrc/postconfig.ts~/.pt/config.yaml~/.pt/security-audit.log<destination>/post_config.sh<destination>/post_config.bat<destination-and-up-to-five-parents>/.env
Network endpoints2
github.comgitea.lyonritchie.com
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `src/commands/initCommand.ts` generates and executes template-controlled `post_config.sh`/`.bat` via `execSync`.
- `--yes` selects all post-config tasks and bypasses the interactive confirmation for warned commands.
- `src/commands/initCommand.ts` reads `.env` files from up to five parent directories for template variables.
- `src/remote.ts` downloads and extracts remote templates; untrusted sources can proceed after confirmation or `--allow-untrusted`.
- `src/safety.ts` only blocks a limited command list; other shell commands remain executable after warning.
Evidence against
- `package.json` has no `preinstall`, `install`, or `postinstall` hook; only `prepublishOnly` builds TypeScript.
- Execution requires explicit `pt init` use with a supplied or previously learned template.
- The package warns on dangerous commands, blocks selected destructive commands, applies timeouts, and logs execution.
- No source evidence of package-owned credential exfiltration, stealth persistence, or AI-agent control-surface mutation.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/safety.jsView file
36'chmod -R', 'chown -R', 'chgrp -R',
L37: // PowerShell (Windows)
L38: 'powershell', 'pwsh', 'Invoke-Expression', 'IEX',
...
L235: // Skip flags
L236: if (arg.startsWith('-') || (process.platform === 'win32' && arg.startsWith('/'))) {
L237: continue;
...
L262: });
L263: return { success: true, stdout: output };
L264: }
...
L283: template: templateName,
L284: user: os.userInfo().username,
L285: result,
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/safety.jsView on unpkg · L36tests/safety.test.tsView file
7// Force a temporary home directory for testing
L8: const testHome = path.join(process.cwd(), '.test-home-safety');
L9: process.env.HOME = testHome;
L10:
...
L115: test('isDangerousCommand: warns on remote downloads', () => {
L116: assert.strictEqual(isDangerousCommand('curl https://example.com'), true);
L117: assert.strictEqual(isDangerousCommand('wget https://example.com/file'), true);
...
L133: assert.strictEqual(isDangerousCommand('exec bash'), true);
L134: assert.strictEqual(isDangerousCommand('source ~/.bashrc'), true);
L135: });
...
L142:
L143: test('isDangerousCommand: warns on PowerShell dangerous commands', () => {
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
tests/safety.test.tsView on unpkg · L7Findings
3 Medium6 Low
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencetests/safety.test.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/safety.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings