registry  /  @happyvertical/smrt-cli  /  0.37.1

@happyvertical/smrt-cli@0.37.1

Developer CLI for SMRT framework - introspection, testing, and project management

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are developer CLI features activated by explicit commands, not install-time or import-time behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit smrt CLI command invocation
Impact
Creates or updates project files and may run configured package-manager/dev commands only for requested workflows
Mechanism
user-invoked project scaffolding, docs generation, template loading, and dev/test helpers
Rationale
Static inspection shows a broad developer CLI with dynamic imports, file writes, child processes, and network template downloads, but all are aligned with documented commands and require explicit user invocation. There is no lifecycle execution, hidden exfiltration, persistence, destructive install behavior, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonbin/smrt.jsdist/index.jsdist/index-CZTaF6ei.jsAGENTS.mdCLAUDE.mdscripts/verify-package-types-exports.js.agents/smrt-framework.md.claude/smrt-framework.md.smrt/register.jssmrt.config.tssrc/lib/server/smrt.tssrc/lib/objects/index.tssrc/lib/objects/Example.ts.env.example.gitignore.gitattributesvite.config.tsvite.config.js
Network endpoints3
github.com/{user}/{repo}/archive/{ref}.tar.gzgitlab.com/{user}/{repo}/-/archive/{ref}/{repo}-{ref}.tar.gzbitbucket.org/{user}/{repo}/get/{ref}.tar.gz

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index-CZTaF6ei.js imports child_process, https, fs write APIs and can spawn package managers for user-invoked generators/dev commands.
  • dist/index-CZTaF6ei.js can download user-specified git templates from GitHub/GitLab/Bitbucket and import template.config files.
  • docs:agents/docs:claude can write agent documentation files under .agents or .claude when explicitly run.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts.
  • bin/smrt.js only re-spawns node on dist/index.js or source fallback with forwarded CLI args.
  • dist/index.js lazy-loads command bundle and imports project/.smrt modules only during CLI operations for SMRT object discovery.
  • Network access is limited to user-requested template tarball downloads with HTTPS and trusted-host redirect checks.
  • Secret-related code redacts DB URLs and config export filters secrets unless --include-secrets is explicitly supplied.
  • AGENTS.md and CLAUDE.md contain package documentation, not reviewer/prompt manipulation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 419 KB of source, external domains: bitbucket.org, github.com, gitlab.com

Source & flagged code

4 flagged · loading source
bin/smrt.jsView file
2L3: import { spawnSync } from 'node:child_process'; L4: import { existsSync } from 'node:fs';
High
Child Process

Package source references child process execution.

bin/smrt.jsView on unpkg · L2
dist/index-CZTaF6ei.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @happyvertical/smrt-cli@0.37.3 matchedIdentity = npm:QGhhcHB5dmVydGljYWwvc21ydC1jbGk:0.37.3 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/index-CZTaF6ei.jsView on unpkg
4303try { L4304: execSync( L4305: `git config ${configScope} merge.smrt-json.name "SMRT JSON merge driver"`, ... L4308: execSync( L4309: `git config ${configScope} merge.smrt-json.driver "npx smrt merge-json %O %A %B"`, L4310: { stdio: "inherit" }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index-CZTaF6ei.jsView on unpkg · L4303
124} L125: const { getPackageConfig } = await import("@happyvertical/smrt-config"); L126: const { DEFAULT_CLI_CONFIG } = await import("./config-C8pQD-tk.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index-CZTaF6ei.jsView on unpkg · L124

Findings

1 Critical3 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/index-CZTaF6ei.js
HighChild Processbin/smrt.js
HighShell
HighRuntime Package Installdist/index-CZTaF6ei.js
MediumDynamic Requiredist/index-CZTaF6ei.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings