registry  /  @juggernautlabs/cloud  /  0.1.1

@juggernautlabs/cloud@0.1.1

Official Node.js and browser SDK for the Juggernaut Cloud Platform. Execute AI processes, manage cloud database schemas, search resources, and run plugins locally.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Explicit runtime APIs can execute server-fetched plugin JavaScript with host-process capabilities. An explicit browser-extension API can execute returned commands in an active tab, including custom JavaScript.

Static reason
No blocking static signals were detected.
Trigger
Caller invokes `initializePlugin(..., { execute: true })` or `executeBrowserCommands(...)` in a Chrome extension context.
Impact
A compromised or malicious cloud plugin/command response could execute code with the invoking Node process or extension-tab permissions.
Mechanism
Remote plugin VM execution and browser-tab command execution.
Rationale
No malicious install-time, credential-harvesting, persistence, or stealth behavior was found. The package nevertheless exposes explicit remote-content execution paths with broad host/browser authority, warranting a warning.
Evidence
package.jsonbuild/index.jsbuild/CloudResourceAPI.jsbuild/PluginManager.jsbuild/BrowserAutomationManager.jsbuild/CloudDatabaseManager.jsREADME.md
Network endpoints1
core.juggernautlabs.ai

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `build/index.js` fetches plugin content then executes it when `execute: true`.
  • `build/PluginManager.js` runs fetched script with `vm.runInContext`.
  • Plugin VM exposes `require`, `process`, `global`, `fetch`, and `Buffer`.
  • `build/BrowserAutomationManager.js` executes cloud-result commands in active Chrome tabs, including `new Function`.
  • Browser automation requires an explicit runtime call and Chrome extension APIs.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; only `prepublishOnly`.
  • No package code reads local credentials, agent configuration, or filesystem paths before user-invoked APIs.
  • Network requests target the package-aligned `https://core.juggernautlabs.ai` API.
  • No persistence, destructive shell execution, or import-time remote payload execution found.
Behavioral surface
Source
CryptoDynamicRequireEvalNetwork
Supply chain
MinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 19 file(s), 141 KB of source, external domains: core.juggernautlabs.ai

Source & flagged code

3 flagged · loading source
build/esm/BrowserAutomationManager.jsView file
191try { L192: const fn = new Function('args', command.fn); L193: return { executed: true, result: fn(command.args) };
Low
Eval

Package source references a known benign dynamic code generation pattern.

build/esm/BrowserAutomationManager.jsView on unpkg · L191
build/CloudDatabaseManager.jsView file
6exports.DatabaseSchema = void 0; L7: const CloudResourceAPI_js_1 = __importDefault(require("./CloudResourceAPI.js")); L8: class CloudDatabaseManager {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

build/CloudDatabaseManager.jsView on unpkg · L6
build/esm/PluginManager.jsView file
17__filename: pluginName, L18: __dirname: '', L19: process, ... L33: FileReader: globalThis.FileReader, L34: FormData: globalThis.FormData, L35: ReadableStream: globalThis.ReadableStream, ... L38: TextEncoder: globalThis.TextEncoder, L39: TextDecoder: globalThis.TextDecoder, L40: EventTarget: globalThis.EventTarget,
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

build/esm/PluginManager.jsView on unpkg · L17

Findings

3 Medium4 Low
MediumDynamic Requirebuild/CloudDatabaseManager.js
MediumUnsafe Vm Contextbuild/esm/PluginManager.js
MediumNetwork
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvalbuild/esm/BrowserAutomationManager.js
LowUrl Strings