registry  /  @holoscript/core  /  8.0.9

@holoscript/core@8.0.9

Broken publish: package manifest retained workspace: ranges. Use @holoscript/core@8.0.10 or later.

Core parser, AST, compiler infrastructure, trait system, and runtime for HoloScript — the open AI-spatial reality protocol for 3D/XR/IoT

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No unconsented install-time attack was found. The package exposes runtime/CLI agent capabilities that can execute shell commands and make HTTP/webhook calls when a user runs HoloScript compositions or daemons.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes holoscript CLI daemon/run flows or a composition emits shell:webhook/http events.
Impact
Could execute local commands, write project .holoscript state files, or send configured payloads to remote services if enabled by user configuration.
Mechanism
user-invoked agent runtime shell and network capabilities
Rationale
The scanner's command-output exfiltration label is not supported as an automatic malicious chain: command execution and webhook/http sending are user-invoked runtime traits, and install/import paths do not trigger them. Because the package provides agent-like shell/network capabilities, warn rather than block.
Evidence
package.jsonbin/holoscript.cjsdist/cli/holoscript-runner.jsdist/chunk-BQJ3YBF3.jsdist/chunk-GJNCFRJU.cjsdist/chunk-GIBF4BHH.js.holoscript/daemon.lock.holoscript/holomesh-daemon.lock.holoscript/holomesh-state.json
Network endpoints3
mcp-orchestrator-production-45f9.up.railway.appmcp.holoscript.netapi.openai.com

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/chunk-BQJ3YBF3.js registers shell, webhook, and http traits in the default trait registry.
  • dist/chunk-BQJ3YBF3.js shell trait can spawn user-specified commands with shell:true on shell:exec events.
  • dist/cli/holoscript-runner.js daemon can write .holoscript state/lock files and run skill commands when --allow-shell is enabled.
  • dist/cli/holoscript-runner.js holomesh-daemon contacts a default remote orchestrator using HOLOSCRIPT_API_KEY.
Evidence against
  • package.json has no preinstall/install/postinstall script; only prepublishOnly build script.
  • bin/holoscript.cjs only dispatches to the CLI runner; no install-time execution.
  • Webhook/http URLs are config or event supplied; no hardcoded command-output exfiltration sink found.
  • CLI shell skill execution defaults allowShell:false and supports command allowlisting.
  • ExpressionEvaluator blocks obvious process/fs/child_process escapes before using Function.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 385 file(s), 19.8 MB of source, external domains: api.holoscript.net, api.meshy.ai, api.nft.storage, api.openai.com, api.pinata.cloud, api.rendernetwork.com, api.telegram.org, api.tripo3d.ai, cdn.jsdelivr.net, cloudflare-ipfs.com, discord.com, download.ros.org, eslint.org, github.com, hololand.app, hololand.holoscript.studio, holoscript.dev, holoscript.net, holoscript.studio, hyperhuman.deemos.com, ipfs.infura.io, ipfs.io, marketplace.holoscript.net, mcp-orchestrator-production-45f9.up.railway.app, mcp.holoscript.net, nvidia-isaac-ros.github.io, ollama.com, railway.app, raw.githubusercontent.com, schema.org, schemas.android.com, schemas.horizonos, slack.com, storage.googleapis.com, studio.holoscript.net, twitter.com, unpkg.com, www.apple.com, www.mixamo.com, www.npmjs.com, www.w3.org, your-vault.vault.azure.net

Source & flagged code

10 flagged · loading source
dist/traits/index.jsView file
15694// Vulnerability Scanner - Node.js L15695: const { exec } = require('child_process'); L15696: const { promisify } = require('util');
High
Child Process

Package source references child process execution.

dist/traits/index.jsView on unpkg · L15694
dist/cli/holoscript-runner.jsView file
372env: { ...process.env, ...options?.env ?? {} }, L373: shell: true, L374: stdio: ["ignore", "pipe", "pipe"]
High
Shell

Package source references shell execution.

dist/cli/holoscript-runner.jsView on unpkg · L372
dist/chunk-GJNCFRJU.cjsView file
97try { L98: const fn = new Function(...keys, `"use strict"; return (${expression});`); L99: return fn.call(null, ...values);
High
Eval

Package source references dynamic code evaluation.

dist/chunk-GJNCFRJU.cjsView on unpkg · L97
bin/holoscript.cjsView file
6// silent no-op (repro 2026-06-10: `holoscript help` → exit 0, zero bytes). L7: require('../dist/cli/holoscript-runner.cjs');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/holoscript.cjsView on unpkg · L6
dist/index.jsView file
138Cross-file remote execution chain: dist/index.js spawns dist/tools/index.js; helper contains network access plus dynamic code execution. L138: import { createHash } from 'crypto'; L139: import { inflateSync, deflateSync } from 'zlib'; L140: import { EventEmitter } from 'events'; ... L255: params: action.parameters?.map((p) => p.name) || [], L256: body: action.body L257: }); ... L487: const __filename = fileURLToPath(import.meta.url); L488: const __dirname2 = path5.dirname(__filename); L489: const metricsDir = path5.join(__dirname2, "../../../.perf-metrics"); ... L516: let env = "unknown"; L517: if (!isBrowser && typeof process !== "undefined" && process.env) { L518: env = process.env.NODE_ENV || "test";
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L138
138import { createHash } from 'crypto'; L139: import { inflateSync, deflateSync } from 'zlib'; L140: import { EventEmitter } from 'events'; ... L255: params: action.parameters?.map((p) => p.name) || [], L256: body: action.body L257: }); ... L487: const __filename = fileURLToPath(import.meta.url); L488: const __dirname2 = path5.dirname(__filename); L489: const metricsDir = path5.join(__dirname2, "../../../.perf-metrics"); ... L516: let env = "unknown"; L517: if (!isBrowser && typeof process !== "undefined" && process.env) { L518: env = process.env.NODE_ENV || "test";
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/index.jsView on unpkg · L138
dist/chunk-GIBF4BHH.jsView file
311}, L312: metadata: { L313: sourceBlocks: proceduralBlocks.map(sourceBlockName), ... L693: SECRET_KEY_RE = /(^|[_-])(api[_-]?key|token|secret|password|credential|bearer|auth)([_-]|$)/i; L694: INLINE_SECRET_VALUE_RE = /(sk-[A-Za-z0-9_-]{8,}|Bearer\s+[A-Za-z0-9._-]{8,}|ghp_[A-Za-z0-9_]{8,}|xox[baprs]-[A-Za-z0-9-]{8,}|AIza[0-9A-Za-z_-]{8,}|-----BEGIN\s+(?:RSA\s+)?PRIVATE K... L695: OmnigentAgentYamlCompiler = class extends CompilerBase { ... L1471: const command = this.cmdLine(cfg.executable, args); L1472: const powershell = this.genPowerShellLaunch(cfg, args); L1473: const healthProbe = this.genHealthProbe(cfg); ... L1518: compileToFiles(composition, agentToken = "") { L1519: const bundle = JSON.parse(this.compile(composition, agentToken)); L1520: return Object.fromEntries(bundle.files.map((file) => [file.path, file.content]));
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/chunk-GIBF4BHH.jsView on unpkg · L311
311}, L312: metadata: { L313: sourceBlocks: proceduralBlocks.map(sourceBlockName), ... L693: SECRET_KEY_RE = /(^|[_-])(api[_-]?key|token|secret|password|credential|bearer|auth)([_-]|$)/i; L694: INLINE_SECRET_VALUE_RE = /(sk-[A-Za-z0-9_-]{8,}|Bearer\s+[A-Za-z0-9._-]{8,}|ghp_[A-Za-z0-9_]{8,}|xox[baprs]-[A-Za-z0-9-]{8,}|AIza[0-9A-Za-z_-]{8,}|-----BEGIN\s+(?:RSA\s+)?PRIVATE K... L695: OmnigentAgentYamlCompiler = class extends CompilerBase { ... L1471: const command = this.cmdLine(cfg.executable, args); L1472: const powershell = this.genPowerShellLaunch(cfg, args); L1473: const healthProbe = this.genHealthProbe(cfg); ... L1518: compileToFiles(composition, agentToken = "") { L1519: const bundle = JSON.parse(this.compile(composition, agentToken)); L1520: return Object.fromEntries(bundle.files.map((file) => [file.path, file.content]));
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunk-GIBF4BHH.jsView on unpkg · L311
dist/chunk-IFW5IW4L.cjsView file
1366fireCount: state.fireCount, L1367: data: payload.data L1368: }); ... L4667: heading: "How it works", L4668: mock_qr: { demo_url: "https://holoscript.studio", caption: "A QR code looks like this", display_dp: 180 }, L4669: steps: [], ... L15228: break; L15229: } else if (zone.type === "private") { L15230: if (isInZone(speakerPos, zone) !== isInZone(listenerPos, zone)) { ... L16900: function mockGenerate(circuit, publicInputs) { L16901: const hash = JSON.stringify({ id: circuit.id, publicInputs }).split("").reduce((acc, c) => acc * 31 + c.charCodeAt(0) & 4294967295, 0); L16902: const proof = new Uint8Array(64).fill(0);
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/chunk-IFW5IW4L.cjsView on unpkg · L1366
dist/chunk-BQJ3YBF3.jsView file
1364Trigger-reachable chain: manifest.main -> dist/index.js -> dist/chunk-BQJ3YBF3.js L1364: fireCount: state.fireCount, L1365: data: payload.data L1366: }); ... L4665: heading: "How it works", L4666: mock_qr: { demo_url: "https://holoscript.studio", caption: "A QR code looks like this", display_dp: 180 }, L4667: steps: [], ... L15226: break; L15227: } else if (zone.type === "private") { L15228: if (isInZone(speakerPos, zone) !== isInZone(listenerPos, zone)) { ... L16898: function mockGenerate(circuit, publicInputs) { L16899: const hash = JSON.stringify({ id: circuit.id, publicInputs }).split("").reduce((acc, c) => acc * 31 + c.charCodeAt(0) & 4294967295, 0); L16900: const proof = new Uint8Array(64).fill(0);
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-BQJ3YBF3.jsView on unpkg · L1364

Findings

2 Critical5 High5 Medium7 Low
CriticalCommand Output Exfiltrationdist/chunk-IFW5IW4L.cjs
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-BQJ3YBF3.js
HighChild Processdist/traits/index.js
HighShelldist/cli/holoscript-runner.js
HighEvaldist/chunk-GJNCFRJU.cjs
HighObfuscated Payload Loaderdist/chunk-GIBF4BHH.js
HighCross File Remote Execution Contextdist/index.js
MediumDynamic Requirebin/holoscript.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunk-GIBF4BHH.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings