AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a framework CLI with user-invoked dev, build, deploy, MCP, eval, and scaffolding commands; risky primitives are aligned with those commands and gated by explicit CLI actions.
Static reason
No blocking static signals were detected.
Trigger
User runs the lesto CLI command such as dev, serve, deploy, mcp, eval, generate, add, or openapi.
Impact
No unconsented install-time execution, credential harvesting, exfiltration, persistence, or AI-agent control hijack identified.
Mechanism
Framework CLI orchestration with dynamic project imports, filesystem generation, local servers, and deploy tooling.
Rationale
Static inspection shows a legitimate CLI whose dynamic imports, child process use, env reads, network calls, and file writes are tied to explicit framework commands rather than install/import-time behavior. No source evidence shows stealth persistence, credential exfiltration, destructive behavior, or unconsented mutation of a broad AI-agent control surface.
Evidence
package.jsonbin/lesto.mjssrc/bin.tssrc/eval.tssrc/mcp.tssrc/ai-bridge.tssrc/ai-redact.tssrc/add.tslesto.app.tsapp/routessrc/routes.gen.tsenv.client.tslesto.sites.tslesto.build.tslesto.evals.tslesto.content.tsapp/mcp/config.tsapp/mcp/verify.tsapp/mcp/governance.ts
Network endpoints6
lesto.rungithub.com/lesto-run/lesto.gitgithub.com/lesto-run/lesto/issuesissuer.example.comissuer.example.com/.well-known/jwks.jsonmcp.example.com
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- src/bin.ts spawns external wrangler only for explicit deploy/rollback commands.
- src/bin.ts reads AWS_/LESTO_DEPLOY_ env credentials for user-requested remote release store publishing.
- src/bin.ts dynamically imports project files such as lesto.app.ts, routes, sites, content, evals during CLI commands.
- src/mcp.ts exposes operator-mode MCP mutations only when user passes --operator.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- bin/lesto.mjs only registers jiti and imports ../src/bin.ts as the CLI entrypoint.
- src/ai-bridge.ts uses a positive read-only allowlist for dev AI overlay tools.
- src/ai-redact.ts redacts paths/secrets before AI overlay context forwarding.
- Network activity is command-aligned: local dev servers, deploy health checks, Wrangler/remote release stores, optional eval judge.
- Project file writes are user-invoked CLI outputs such as generated routes, OpenAPI, scaffolding, build artifacts, and release stores.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcesrc/eval.tsView file
177L178: throw new CliError("CLI_EVAL_FAILED", `${failures} eval(s) failed.`, {
L179: failed: failures,
Low
Eval
Package source references a known benign dynamic code generation pattern.
src/eval.tsView on unpkg · L177src/bin.tsView file
239L240: // Auto-wire file-based routes onto the loaded app: scan `app/routes/`, `import()`
L241: // each page/layout, and register them via `@lesto/web`'s applier. The scan and
Medium
Dynamic Require
Package source references dynamic require/import behavior.
src/bin.tsView on unpkg · L239Findings
3 Medium5 Low
MediumDynamic Requiresrc/bin.ts
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvalsrc/eval.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings