registry  /  @keystrokehq/keystroke  /  0.1.24

@keystrokehq/keystroke@0.1.24

Keystroke authoring facade — re-exports primitives for user projects.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package exposes an AI agent/workflow/client SDK with user-invoked network calls, sandboxing, MCP stdio, and local session storage as expected for this package domain.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit user code imports SDK APIs and runs agents, workflows, client.execute, sandbox, or MCP connections.
Impact
No unconsented install-time or import-time compromise identified.
Mechanism
package-aligned SDK execution primitives
Rationale
Static inspection shows powerful AI-agent and sandbox capabilities, but they are exported/user-invoked framework features with no lifecycle hook, import-time execution, credential harvesting, persistence, or covert endpoint. Scanner hits are explained by bundled AI SDK, MCP, Vercel OIDC, and just-bash code rather than concrete malicious behavior.
Evidence
package.jsondist/agent.mjsdist/client.mjsdist/config.mjsdist/sandbox.mjsdist/dist-CkW_0ydn.mjsdist/dist-BhRN0eMQ.mjsdist/js-exec-N5KEZBH7-DjRjamrT.mjsagent session/memory files under KEYSTROKE_AGENTS_DIR or user data dirs when agent APIs are invoked
Network endpoints5
ai-gateway.vercel.shapi.keystroke.ailocalhost:3002PLATFORM_URLPUBLIC_PLATFORM_URL

Decision evidence

public snapshot
AI called this Clean at 83.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • Exports include agent/sandbox/client APIs with user-invoked tool execution and MCP stdio support.
  • dist/client.mjs posts tool executions to configured Keystroke platform URLs using env/API-key auth.
  • dist/agent.mjs can create local session/memory files when an agent is explicitly run.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and no bin entry.
  • Entrypoints mostly re-export framework primitives; no import-time credential harvesting or exfiltration found.
  • dist/dist-CkW_0ydn.mjs child_process spawn is MCP stdio transport with explicit command/options, shell:false.
  • dist/js-exec-* is bundled just-bash sandbox runtime documentation/implementation, not auto-executed on install/import.
  • Network endpoints are product-aligned: ai-gateway.vercel.sh, api.keystroke.ai, configured PLATFORM_URL/PUBLIC_PLATFORM_URL, localhost default.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsObfuscatedTelemetryUrlStrings
Manifest
NoLicense
scanned 386 file(s), 8.75 MB of source, external domains: ai-gateway.vercel.sh, ai-sdk.dev, angular.io, api.keystroke.ai, api.vercel.com, cscott.net, datatracker.ietf.org, dom.spec.whatwg.org, example.com, github.com, json-schema.org, landley.net, raw.githubusercontent.com, trac.webkit.org, vercel.com, www.ibm.com, www.w3.org, www.whatwg.org

Source & flagged code

6 flagged · loading source
dist/chunk-4RUAZWKT-CISqwIli.mjsView file
22357} L22358: exec(t) { L22359: let e = this.acquireMatcher(t), s = this._global ? this._lastIndex : 0;
High
Child Process

Package source references child process execution.

dist/chunk-4RUAZWKT-CISqwIli.mjsView on unpkg · L22357
dist/dist-CkW_0ydn.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @keystrokehq/keystroke@0.1.22 matchedIdentity = npm:QGtleXN0cm9rZWhxL2tleXN0cm9rZQ:0.1.22 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/dist-CkW_0ydn.mjsView on unpkg
33692if (error) { L33693: if (command.name === "exec" && error.message === "EXECABORT Transaction discarded because of previous errors.") continue; L33694: if (!commonError) commonError = {
High
Shell

Package source references shell execution.

dist/dist-CkW_0ydn.mjsView on unpkg · L33692
dist/chunk-TN7HHBQW-D_SK6w5n.cjsView file
17strategy: "throw", L18: reason: "eval() allows arbitrary code execution" L19: },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/chunk-TN7HHBQW-D_SK6w5n.cjsView on unpkg · L17
dist/tr-36LHWFRQ-CJUEJlEm.cjsView file
1require("./dist-D8doj-M6.cjs"); L2: require("./chunk-BZUGFHVS-7RRM7Jpb.cjs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/tr-36LHWFRQ-CJUEJlEm.cjsView on unpkg · L1
dist/js-exec-N5KEZBH7-BuBt5sPH.cjsView file
40Cross-file remote execution chain: dist/js-exec-N5KEZBH7-BuBt5sPH.cjs spawns dist/chunk-TN7HHBQW-D_SK6w5n.cjs; helper contains network access plus dynamic code execution. L40: Available modules: L41: fs, path, child_process, process, console, L42: os, url, assert, util, events, buffer, stream, ... L55: child_process: L56: execSync(cmd) throws on non-zero exit, returns stdout L57: spawnSync(cmd, args) returns { stdout, stderr, status } ... L61: L62: os: platform(), arch(), homedir(), tmpdir(), type(), hostname(), L63: EOL, cpus(), endianness() L64: L65: url: URL, URLSearchParams, parse(), format() L66:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/js-exec-N5KEZBH7-BuBt5sPH.cjsView on unpkg · L40

Findings

1 Critical3 High4 Medium8 Low
CriticalPrevious Version Dangerous Deltadist/dist-CkW_0ydn.mjs
HighChild Processdist/chunk-4RUAZWKT-CISqwIli.mjs
HighShelldist/dist-CkW_0ydn.mjs
HighCross File Remote Execution Contextdist/js-exec-N5KEZBH7-BuBt5sPH.cjs
MediumDynamic Requiredist/tr-36LHWFRQ-CJUEJlEm.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/chunk-TN7HHBQW-D_SK6w5n.cjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License