registry  /  @happyvertical/smrt-cli  /  0.37.10

@happyvertical/smrt-cli@0.37.10

Developer CLI for SMRT framework - introspection, testing, and project management

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found by source inspection. The risky primitives are user-invoked developer CLI features for scaffolding, migrations, git merge setup, tests, and template downloads.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit smrt CLI command execution by the user
Impact
Project files may be generated or modified only by selected commands; no install-time mutation or exfiltration confirmed
Mechanism
developer CLI scaffolding, dynamic imports, template download, subprocess wrappers
Rationale
Static source inspection shows a developer CLI with potentially powerful but expected, user-invoked commands; there is no lifecycle hook, stealth persistence, credential exfiltration, or unconsented AI-agent control-surface mutation. Scanner findings map to legitimate CLI features such as lazy imports, scaffolding writes, git setup, template downloads, and subprocess execution.
Evidence
package.jsonbin/smrt.jsdist/index.jsdist/commands-gnJG0EIL.jsdist/config-BwrFRL8L.js.smrt/register.js.gitattributessmrt.config.tssrc/lib/server/smrt.tssrc/lib/objects/index.tssrc/lib/objects/Example.ts.env.example.gitignoresrc/svelte/playground.tssrc/playground.tssrc/routes/playground/+page.sveltevite.config.tsvite.config.js.smrt/manifest.jsontest-manifest.jsontest-manifest-stub.ts
Network endpoints3
github.com/${repo.user}/${repo.repo}/archive/${repo.ref}.tar.gzgitlab.com/${repo.user}/${repo.repo}/-/archive/${repo.ref}/${repo.repo}-${repo.ref}.tar.gzbitbucket.org/${repo.user}/${repo.repo}/get/${repo.ref}.tar.gz

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks; bin only spawns node on dist/index.js or source fallback.
    • bin/smrt.js child_process use is a CLI wrapper forwarding user argv, not install-time execution.
    • dist/index.js lazy-loads command bundles and imports project/.smrt files only when CLI commands run.
    • dist/commands-gnJG0EIL.js package manager/base generator execution is user-invoked gnode/template generation with command/arg validation and shell:false except Windows helper.
    • dist/commands-gnJG0EIL.js network use downloads user-selected git templates from GitHub/GitLab/Bitbucket tarballs with HTTPS redirect host validation and size/timeout limits.
    • File writes are command-aligned scaffolding/config/manifest/git merge setup; no credential harvesting or exfiltration path found.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 6 file(s), 383 KB of source, external domains: bitbucket.org, github.com, gitlab.com

    Source & flagged code

    5 flagged · loading source
    bin/smrt.jsView file
    2L3: import { spawnSync } from 'node:child_process'; L4: import { existsSync } from 'node:fs';
    High
    Child Process

    Package source references child process execution.

    bin/smrt.jsView on unpkg · L2
    dist/commands-gnJG0EIL.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @happyvertical/smrt-cli@0.38.3 matchedIdentity = npm:QGhhcHB5dmVydGljYWwvc21ydC1jbGk:0.38.3 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/commands-gnJG0EIL.jsView on unpkg
    4469* Security: Command and arguments are validated to prevent injection attacks. L4470: * shell: true is NOT used to avoid command injection vulnerabilities. L4471: */
    High
    Shell

    Package source references shell execution.

    dist/commands-gnJG0EIL.jsView on unpkg · L4469
    3648execSync(`git config ${configScope} merge.smrt-json.name "SMRT JSON merge driver"`, { stdio: "inherit" }); L3649: execSync(`git config ${configScope} merge.smrt-json.driver "npx smrt merge-json %O %A %B"`, { stdio: "inherit" }); L3650: changes.push(`Git merge driver configured (${options.global ? "global" : "local"})`);
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/commands-gnJG0EIL.jsView on unpkg · L3648
    121} L122: const { getPackageConfig } = await import("@happyvertical/smrt-config"); L123: const { DEFAULT_CLI_CONFIG } = await import("./config-BwrFRL8L.js");
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/commands-gnJG0EIL.jsView on unpkg · L121

    Findings

    1 Critical3 High4 Medium4 Low
    CriticalPrevious Version Dangerous Deltadist/commands-gnJG0EIL.js
    HighChild Processbin/smrt.js
    HighShelldist/commands-gnJG0EIL.js
    HighRuntime Package Installdist/commands-gnJG0EIL.js
    MediumDynamic Requiredist/commands-gnJG0EIL.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings