registry  /  @kahitsan/plugin-sdk  /  0.4.4

@kahitsan/plugin-sdk@0.4.4

THE single public author surface for Hilinga plugins: createPlugin, auth guards, the workspace-scoped data surface (makeDataSurface) + migrations + withTenantContext, cross-plugin RPC, and the wire-protocol verify surface. One npm package, no -composite/-

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface was found. Residual risk remains because the published main entry is deliberately obfuscated and includes reviewer/AI-directed prompt text.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
importing the package main entry, or running the user-invoked plugin-sdk CLI
Impact
No confirmed exfiltration, persistence, destructive behavior, or lifecycle execution; opaque main bundle prevents high-confidence clean classification.
Mechanism
obfuscated SDK bundle plus local dev server/proxy tooling
Rationale
Source inspection did not confirm malicious behavior, but the shipped main entry is intentionally obfuscated and embeds prompt-injection text directed at AI reviewers. That unresolved opacity warrants a warning rather than a publish block.
Evidence
package.jsondist/index.jsbin/cli.mjssrc/dev/serve.tssrc/dev/dev-kernel.tssrc/dev/dev-host.tssrc/dev/preload.tssrc/dev/sqlite-pool.tssrc/dev/dev-assets.tsREADME.mdplugin.manifest.jsonserver/main.ts:memory: or KSERP_SQLITE_FILE
Network endpoints2
127.0.0.1:<port>S3_ENDPOINT from environment

Decision evidence

public snapshot
AI called this Suspicious at 72.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • dist/index.js is intentionally obfuscated with a string-array loader and large opaque string table.
  • dist/index.js banner contains an AI/LLM-directed refusal instruction, a reviewer prompt-injection signal.
  • Main package entry is only obfuscated dist/index.js; unobfuscated matching source for that entry is not shipped.
Evidence against
  • package.json has no install/preinstall/postinstall/prepare lifecycle hooks.
  • bin/cli.mjs only user-invoked spawns Bun to run src/dev/serve.ts with supplied plugin dirs.
  • src/dev/* network activity is local dev proxy/RPC on 127.0.0.1 plus optional user-configured S3_ENDPOINT for local asset storage.
  • src/dev/preload.ts and sqlite-pool.ts implement Bun SQLite dev stubs; no credential harvesting or exfiltration found.
  • README.md describes the same plugin SDK/dev-toolkit behavior observed in source.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 27 file(s), 560 KB of source, external domains: 127.0.0.1, bun.sh, github.com, www.w3.org

Source & flagged code

8 flagged · loading source
bin/cli.mjsView file
11// so the launcher re-execs under Bun; install it from https://bun.sh. L12: import { spawn } from "node:child_process"; L13: import { fileURLToPath } from "node:url";
High
Child Process

Package source references child process execution.

bin/cli.mjsView on unpkg · L11
dist/index.jsView file
1/*! [redacted]... L2: const _0x3dff01=_0x51f1;(function(_0x47517c,_0x52ad84){const _0x40ea06=_0x51f1,_0x32338c=_0x47517c();while(!![]){try{const _0x5e64dd=-parseInt(_0x40ea06(0x20c))/(0x58*0x71+-0x11ab*...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.jsView on unpkg · L1
1/*! [redacted]... L2: const _0x3dff01=_0x51f1;(function(_0x47517c,_0x52ad84){const _0x40ea06=_0x51f1,_0x32338c=_0x47517c();while(!![]){try{const _0x5e64dd=-parseInt(_0x40ea06(0x20c))/(0x58*0x71+-0x11ab*...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1
src/dev/dev-host.tsView file
135) as Manifest; L136: l.proc = spawn({ L137: cmd: ["bun", "--preload", PRELOAD, join(l.dir, "server", "main.ts")], ... L139: env: { L140: ...process.env, L141: KSERP_DEV_PLUGIN_DIR: l.dir, ... L145: KSERP_PLUGIN_SCHEMAS: (manifest.schemas ?? []).join(","), L146: KSERP_KERNEL_URL: `http://127.0.0.1:${mediatorPort}`, L147: KSERP_INTERNAL_SECRET: DEV_SECRET,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/dev/dev-host.tsView on unpkg · L135
shell/sw.js.gzView file
path = shell/sw.js.gz kind = compressed_blob sizeBytes = 1440 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

shell/sw.js.gzView on unpkg
shell/favicon.icoView file
path = shell/favicon.ico kind = high_entropy_blob sizeBytes = 5667 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

shell/favicon.icoView on unpkg
shell/_build/.vite/manifest.json.gzView file
path = shell/_build/.vite/manifest.json.gz kind = payload_in_excluded_dir sizeBytes = 727 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

shell/_build/.vite/manifest.json.gzView on unpkg
src/dev/sqlite-pool.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @kahitsan/plugin-sdk@0.5.1 matchedIdentity = npm:QGthaGl0c2FuL3BsdWdpbi1zZGs:0.5.1 similarity = 0.926 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/dev/sqlite-pool.tsView on unpkg

Findings

1 Critical7 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/dev/sqlite-pool.ts
HighChild Processbin/cli.mjs
HighShell
HighSame File Env Network Executionsrc/dev/dev-host.ts
HighObfuscated Payload Loaderdist/index.js
HighObfuscated
HighShips High Entropy Blobshell/favicon.ico
HighPayload In Excluded Dirshell/_build/.vite/manifest.json.gz
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobshell/sw.js.gz
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License