registry  /  @inixiative/config  /  0.5.5

@inixiative/config@0.5.5

Shared toolchain for the inixiative ecosystem: tsconfig/biome/tsup presets, a version manifest (BOM), and a sync/check CLI

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a shared config preset plus an explicit CLI that checks or synchronizes local repository toolchain settings.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit inixiative-config CLI invocation, or development prepare/prepublishOnly hooks
Impact
Can modify local project config/lock files and invoke git, bun, or npm during sync/train commands; no stealth install-time attack or exfiltration was identified.
Mechanism
repo configuration validation and optional local toolchain fixes
Rationale
The suspicious primitives are consistent with a documented repository maintenance CLI and are activated by explicit user commands rather than npm preinstall/install/postinstall. Static inspection found no concrete malware chain, credential/file harvesting, remote payload loading, destructive behavior, or AI-agent control-surface hijack.
Evidence
package.jsondist/cli.jsREADME.mdversions.jsondist/tsup.jslefthook/base.yml.bun-versionbun.lockbbun.lock.gitignorelefthook.ymltsconfig.jsonbiome.json

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json has prepare hook: lefthook install
  • dist/cli.js imports child_process spawnSync and runs git/bun/npm commands
  • dist/cli.js sync/train paths can write repo config and lock files
Evidence against
  • No preinstall/install/postinstall consumer lifecycle hook
  • README documents CLI as repo toolchain check/sync/scan/train utility
  • Command execution is behind explicit CLI commands, not import-time execution
  • No credential harvesting, eval/vm/Function, native binary loading, or hardcoded exfiltration endpoint found
  • File writes are package-aligned config fixes for package.json, tsconfig, biome, lefthook, bun lock/version files
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 27.7 KB of source

Source & flagged code

2 flagged · loading source
dist/cli.jsView file
3// src/cli.ts L4: import { spawnSync as spawnSync2 } from "child_process"; L5: import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L3
291level: "error", L292: message: "bun.lock missing \u2192 run bun install and commit the lockfile" L293: }); L294: } else { L295: const ignoreStatus = spawnSync("git", ["check-ignore", "-q", "bun.lock"], { L296: cwd: dir2
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/cli.jsView on unpkg · L291

Findings

3 High3 Low
HighChild Processdist/cli.js
HighShell
HighRuntime Package Installdist/cli.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem