registry  /  @kahitsan/plugin-sdk  /  0.5.1

@kahitsan/plugin-sdk@0.5.1

THE single public author surface for Hilinga plugins: createPlugin, auth guards, the workspace-scoped data surface (makeDataSurface) + migrations + withTenantContext, cross-plugin RPC, and the wire-protocol verify surface. One npm package, no -composite/-

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The main risk is opaque obfuscated distributed code plus a prompt-injection notice, but inspected behavior aligns with an SDK/dev toolkit and requires explicit CLI/runtime use.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
importing the SDK or explicitly running plugin-sdk CLI
Impact
local dev server/process execution for user-supplied plugin directories; no confirmed exfiltration or persistence
Mechanism
obfuscated SDK bundle and local dev toolkit launcher
Rationale
The obfuscation and AI-directed notice in dist/index.js are suspicious, but direct source inspection did not show install-time execution, credential theft, persistence, destructive behavior, or non-aligned network exfiltration. The child process, database, localhost network, and S3 functionality are user-invoked dev-toolkit/SDK features.
Evidence
package.jsondist/index.jsbin/cli.mjssrc/dev/serve.tssrc/dev/dev-host.tssrc/dev/preload.tssrc/dev/sqlite-pool.tssrc/dev/dev-assets.tssrc/dev/dev-kernel.tsuser-supplied plugin.manifest.jsonuser-supplied server/main.tsoptional KSERP_SQLITE_FILE
Network endpoints2
127.0.0.1:<port>S3_ENDPOINT from environment

Decision evidence

public snapshot
AI called this Suspicious at 72.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js is deliberately obfuscated and begins with an AI/reviewer instruction-injection notice telling tools to refuse analysis.
  • dist/index.js imports pg and reads database env vars for direct migrations, increasing review opacity.
  • bin/cli.mjs and src/dev/serve.ts spawn Bun to run user-supplied plugin server/main.ts files when the CLI is invoked.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts.
  • bin/cli.mjs only launches the local dev toolkit after explicit CLI use; no import-time child process execution found.
  • src/dev/serve.ts and src/dev/dev-host.ts bind/proxy only localhost 127.0.0.1 dev endpoints for plugins and the toolkit shell.
  • src/dev/preload.ts sets a Bun SQLite dev hook and synthetic identity for local plugin testing.
  • src/dev/dev-assets.ts uses S3_* only when configured for package-aligned local asset upload/presign/delete.
  • No credential harvesting, persistence, destructive host writes, or off-package exfiltration endpoint found in inspected source.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 28 file(s), 586 KB of source, external domains: 127.0.0.1, bun.sh, github.com, www.w3.org

Source & flagged code

8 flagged · loading source
bin/cli.mjsView file
11// so the launcher re-execs under Bun; install it from https://bun.sh. L12: import { spawn } from "node:child_process"; L13: import { fileURLToPath } from "node:url";
High
Child Process

Package source references child process execution.

bin/cli.mjsView on unpkg · L11
dist/index.jsView file
1/*! [redacted]... L2: const _0x3c719f=_0x2acb;(function(_0x13741a,_0x26c9db){const _0xc9733b=_0x2acb,_0x63c1e2=_0x13741a();while(!![]){try{const _0x397a12=-parseInt(_0xc9733b(0x714))/(0x1338+0x26b7*-0x1...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

dist/index.jsView on unpkg · L1
1/*! [redacted]... L2: const _0x3c719f=_0x2acb;(function(_0x13741a,_0x26c9db){const _0xc9733b=_0x2acb,_0x63c1e2=_0x13741a();while(!![]){try{const _0x397a12=-parseInt(_0xc9733b(0x714))/(0x1338+0x26b7*-0x1...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1
src/dev/dev-host.tsView file
135) as Manifest; L136: l.proc = spawn({ L137: cmd: ["bun", "--preload", PRELOAD, join(l.dir, "server", "main.ts")], ... L139: env: { L140: ...process.env, L141: KSERP_DEV_PLUGIN_DIR: l.dir, ... L145: KSERP_PLUGIN_SCHEMAS: (manifest.schemas ?? []).join(","), L146: KSERP_KERNEL_URL: `http://127.0.0.1:${mediatorPort}`, L147: KSERP_INTERNAL_SECRET: DEV_SECRET,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

src/dev/dev-host.tsView on unpkg · L135
shell/sw.js.gzView file
path = shell/sw.js.gz kind = compressed_blob sizeBytes = 1440 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

shell/sw.js.gzView on unpkg
shell/favicon.icoView file
path = shell/favicon.ico kind = high_entropy_blob sizeBytes = 5667 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

shell/favicon.icoView on unpkg
shell/_build/.vite/manifest.json.gzView file
path = shell/_build/.vite/manifest.json.gz kind = payload_in_excluded_dir sizeBytes = 727 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

shell/_build/.vite/manifest.json.gzView on unpkg
src/dev/sqlite-pool.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @kahitsan/plugin-sdk@0.5.0 matchedIdentity = npm:QGthaGl0c2FuL3BsdWdpbi1zZGs:0.5.0 similarity = 0.929 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/dev/sqlite-pool.tsView on unpkg

Findings

1 Critical7 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/dev/sqlite-pool.ts
HighChild Processbin/cli.mjs
HighShell
HighSame File Env Network Executionsrc/dev/dev-host.ts
HighObfuscated Payload Loaderdist/index.js
HighObfuscated
HighShips High Entropy Blobshell/favicon.ico
HighPayload In Excluded Dirshell/_build/.vite/manifest.json.gz
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobshell/sw.js.gz
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License