registry  /  @lesto/cli  /  0.1.6

@lesto/cli@0.1.6

Broken under plain Node before 0.1.7; upgrade to ^0.1.7.

Lesto's `lesto` command-line tool — load a project's lesto.app.ts and run, serve, migrate, or inspect routes.

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Lesto CLI with explicit development, generation, deployment, MCP, and eval commands; sensitive primitives are tied to those user-invoked workflows.

Static reason
No blocking static signals were detected.
Trigger
User runs the `lesto` CLI command.
Impact
Expected project generation, local dev serving, deployment, and eval behavior; no unconsented install-time mutation or exfiltration found.
Mechanism
CLI framework operations with project-local reads/writes and dev/deploy networking.
Rationale
Static inspection found a normal framework CLI: dynamic imports load user app files by command, network and filesystem operations are aligned with dev/deploy/generation features, and there are no lifecycle hooks or covert exfiltration paths. The agent/MCP-related writes are explicit user-command scaffolding or generated project docs, not unconsented install-time control-surface mutation.
Evidence
package.jsonbin/lesto.mjsdist/bin.jsdist/chunk-RZ3P4LOK.jsdist/src-UTZG2VVJ.jssrc/routes.gen.tsopenapi.jsonAGENTS.mdllms.txtapp/mcp/config.tsapp/mcp/verify.tsapp/mcp/governance.ts
Network endpoints1
api.anthropic.com/v1/messages

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has bin entry but no preinstall/install/postinstall lifecycle hooks.
    • bin/lesto.mjs only selects src/bin.ts when present or dist/bin.js and loads it through jiti for user TS support.
    • dist/bin.js executes behavior only after explicit `lesto` commands; no import-time credential harvesting or persistence found.
    • Network use is package-aligned: dev localhost WebSocket/MCP, deploy health checks, wrangler, and Anthropic only for explicit `lesto eval`.
    • Project writes are command-scoped: routes.gen.ts/openapi.json/build output, generated AGENTS.md/llms.txt, and explicit `lesto add mcp-auth` scaffold.
    • AI/MCP surfaces are guarded: dev AI endpoint is same-origin token checked and dispatches an allowlisted read-only inspect tool.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 5 file(s), 126 KB of source, external domains: 127.0.0.1, api.anthropic.com, auth.example.com, issuer.example.com, mcp.example.com

    Source & flagged code

    2 flagged · loading source
    dist/bin.jsView file
    107deps.out(`eval: ${failures} of ${evals.length} failed`); L108: throw new CliError("CLI_EVAL_FAILED", `${failures} eval(s) failed.`, { L109: failed: failures,
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/bin.jsView on unpkg · L107
    bin/lesto.mjsView file
    27jsx: { runtime: "automatic", importSource: "react" }, L28: }).import(entry);
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    bin/lesto.mjsView on unpkg · L27

    Findings

    3 Medium5 Low
    MediumDynamic Requirebin/lesto.mjs
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowEvaldist/bin.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings