registry  /  @jay-framework/aiditor  /  0.21.0

@jay-framework/aiditor@0.21.0

AIditor — visual AI-driven code editor plugin for Jay Framework

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User opens /aiditor or invokes exported Jay actions such as submitTask, ensureProjectPlugin, setupAiditor, or readFile
Impact
Potential project source modification and command execution under the user's project context if the AIditor UI/actions are used
Mechanism
user-invoked AI agent and plugin-management actions with filesystem and shell capabilities
Rationale
The scanner's child_process and install findings are real, but they are part of an explicit AI editor/plugin-management feature and there are no lifecycle hooks or covert payload behavior. Because the package grants an AI agent broad project editing and Bash capability when used, treat it as suspicious/dangerous capability rather than malicious.
Evidence
package.jsonplugin.yamlREADME.mddist/index.jsbuild/aditor/route-sessions.json.aiditor/page-requests/*.aiditor/plugin-setup-status.json.aiditor/plugin-sources.yamlagent-kit/plugin/aiditor-add-menu.mdagent-kit/plugin/INSTRUCTIONS.md

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js imports @anthropic-ai/claude-agent-sdk and runs query() with Read/Edit/Write/Bash/Glob/Grep tools for user tasks
  • dist/index.js exposes readFileAction that reads an input filePath and returns text or base64 image data
  • dist/index.js has user-invoked plugin install/update flows spawning yarn/npm/npx and writing .aiditor/plugin-setup-status.json
  • plugin.yaml setup handler copies aiditor-add-menu.md and may append agent-kit/plugin/INSTRUCTIONS.md
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • Runtime shell/package-manager use is behind exported Jay actions, not import-time or install-time execution
  • Network references are package-aligned: Claude Agent SDK use and npm version lookup/install for selected Jay plugins
  • No credential harvesting, obfuscated payload, persistence, destructive file removal, or hardcoded exfiltration endpoint found
  • AI-agent setup writes first-party AIditor guidance under agent-kit/plugin, not a foreign broad control-surface takeover
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 1.02 MB of source, external domains: aiditor.local, www.w3.org

Source & flagged code

4 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @jay-framework/aiditor@0.20.0 matchedIdentity = npm:QGpheS1mcmFtZXdvcmsvYWlkaXRvcg:0.20.0 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
13import { fileURLToPath } from "url"; L14: import { spawn } from "child_process"; L15: import { scanRoutes } from "@jay-framework/stack-route-scanner";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L13
1880cwd: projectDir, L1881: shell: true, L1882: env: process.env
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L1880
1878return new Promise((resolve) => { L1879: const child = spawn("npx", ["jay-stack-cli", "validate"], { L1880: cwd: projectDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L1878

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License