registry  /  @keystrokehq/keystroke  /  0.1.27

@keystrokehq/keystroke@0.1.27

Keystroke authoring facade — re-exports primitives for user projects.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an agent/sandbox authoring facade with dangerous capabilities exposed as explicit user-invoked runtime tools.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User imports exported modules and invokes agent, sandbox, MCP, client, or config APIs.
Impact
Can execute user-defined sandbox commands, connect to configured MCP servers, and call configured Keystroke/AI endpoints when used as designed.
Mechanism
user-configured AI agent, sandbox, MCP, and platform client framework
Rationale
Static source inspection found powerful agent/sandbox primitives, network clients, and process spawning, but they are package-aligned APIs activated by user configuration rather than install-time/import-time malware. No concrete credential harvesting, unauthorized persistence, destructive action, or exfiltration behavior was found.
Evidence
package.jsondist/agent.mjsdist/client.mjsdist/config.mjsdist/sandbox.mjsdist/dist-jRbaylLr.mjsdist/dist-Bmjy7TiE.mjsdist/js-exec-N5KEZBH7-BYZdHawz.mjs
Network endpoints5
ai-gateway.vercel.shlocalhost:3002/mcp/execute/internal/projects/:id/mcp/execute/api/public/models

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/agent.mjs can create persistent agent memory files when agent runtime is invoked
  • dist/dist-Bmjy7TiE.mjs exposes MCP stdio spawning from user-supplied definitions
  • dist/js-exec-N5KEZBH7-BYZdHawz.mjs contains a sandboxed JS execution tool with fetch/fs/child_process-like APIs
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and exports only dist entrypoints
  • Network use is aligned to Keystroke/AI gateway clients, model catalogs, MCP execution, and OAuth flows
  • Shell/process execution is exposed as explicit sandbox/MCP tooling, not import-time behavior
  • File writes are scoped to agent memory, sandbox/workspace materialization, credentials, or user-invoked tools
  • No credential harvesting or exfiltration path found beyond configured API tokens sent to configured platform endpoints
  • Dynamic import in dist/config.mjs loads user project keystroke config by explicit loadConfig(cwd) call
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsObfuscatedTelemetryUrlStrings
Manifest
NoLicense
scanned 386 file(s), 8.76 MB of source, external domains: ai-gateway.vercel.sh, ai-sdk.dev, angular.io, api.keystroke.ai, api.vercel.com, cscott.net, datatracker.ietf.org, dom.spec.whatwg.org, example.com, github.com, json-schema.org, landley.net, raw.githubusercontent.com, trac.webkit.org, vercel.com, www.ibm.com, www.w3.org, www.whatwg.org

Source & flagged code

6 flagged · loading source
dist/dist-jRbaylLr.mjsView file
17378} L17379: async exec(t, s) { L17380: if (this.state.callDepth === 0 && (this.state.commandCount = 0), this.state.commandCount++, this.state.commandCount > this.limits.maxCommandCount) return {
High
Child Process

Package source references child process execution.

dist/dist-jRbaylLr.mjsView on unpkg · L17378
dist/dist-Bmjy7TiE.mjsView file
33692if (error) { L33693: if (command.name === "exec" && error.message === "EXECABORT Transaction discarded because of previous errors.") continue; L33694: if (!commonError) commonError = {
High
Shell

Package source references shell execution.

dist/dist-Bmjy7TiE.mjsView on unpkg · L33692
dist/chunk-TN7HHBQW-D_SK6w5n.cjsView file
17strategy: "throw", L18: reason: "eval() allows arbitrary code execution" L19: },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/chunk-TN7HHBQW-D_SK6w5n.cjsView on unpkg · L17
dist/diff-MWJFIG7X-42sr7rDc.cjsView file
1require("./dist-D7ENCZrw.cjs"); L2: require("./chunk-BZUGFHVS-7RRM7Jpb.cjs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/diff-MWJFIG7X-42sr7rDc.cjsView on unpkg · L1
dist/js-exec-N5KEZBH7-BYZdHawz.mjsView file
40Cross-file remote execution chain: dist/js-exec-N5KEZBH7-BYZdHawz.mjs spawns dist/dist-jRbaylLr.mjs; helper contains network access plus dynamic code execution. L40: Available modules: L41: fs, path, child_process, process, console, L42: os, url, assert, util, events, buffer, stream, ... L55: child_process: L56: execSync(cmd) throws on non-zero exit, returns stdout L57: spawnSync(cmd, args) returns { stdout, stderr, status } ... L61: L62: os: platform(), arch(), homedir(), tmpdir(), type(), hostname(), L63: EOL, cpus(), endianness() L64: L65: url: URL, URLSearchParams, parse(), format() L66:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/js-exec-N5KEZBH7-BYZdHawz.mjsView on unpkg · L40
dist/dist-C7ptcoHx.cjsView file
matchType = previous_version_dangerous_delta matchedPackage = @keystrokehq/keystroke@0.1.25 matchedIdentity = npm:QGtleXN0cm9rZWhxL2tleXN0cm9rZQ:0.1.25 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/dist-C7ptcoHx.cjsView on unpkg

Findings

1 Critical3 High4 Medium8 Low
CriticalPrevious Version Dangerous Deltadist/dist-C7ptcoHx.cjs
HighChild Processdist/dist-jRbaylLr.mjs
HighShelldist/dist-Bmjy7TiE.mjs
HighCross File Remote Execution Contextdist/js-exec-N5KEZBH7-BYZdHawz.mjs
MediumDynamic Requiredist/diff-MWJFIG7X-42sr7rDc.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/chunk-TN7HHBQW-D_SK6w5n.cjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License