AI Security Review
scanned 6d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Lesto CLI with explicit development, generation, deployment, MCP, and eval commands; sensitive primitives are tied to those user-invoked workflows.
Static reason
No blocking static signals were detected.
Trigger
User runs the `lesto` CLI command.
Impact
Expected project generation, local dev serving, deployment, and eval behavior; no unconsented install-time mutation or exfiltration found.
Mechanism
CLI framework operations with project-local reads/writes and dev/deploy networking.
Rationale
Static inspection found a normal framework CLI: dynamic imports load user app files by command, network and filesystem operations are aligned with dev/deploy/generation features, and there are no lifecycle hooks or covert exfiltration paths. The agent/MCP-related writes are explicit user-command scaffolding or generated project docs, not unconsented install-time control-surface mutation.
Evidence
package.jsonbin/lesto.mjsdist/bin.jsdist/chunk-RZ3P4LOK.jsdist/src-UTZG2VVJ.jssrc/routes.gen.tsopenapi.jsonAGENTS.mdllms.txtapp/mcp/config.tsapp/mcp/verify.tsapp/mcp/governance.ts
Network endpoints1
api.anthropic.com/v1/messages
Decision evidence
public snapshotAI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has bin entry but no preinstall/install/postinstall lifecycle hooks.
- bin/lesto.mjs only selects src/bin.ts when present or dist/bin.js and loads it through jiti for user TS support.
- dist/bin.js executes behavior only after explicit `lesto` commands; no import-time credential harvesting or persistence found.
- Network use is package-aligned: dev localhost WebSocket/MCP, deploy health checks, wrangler, and Anthropic only for explicit `lesto eval`.
- Project writes are command-scoped: routes.gen.ts/openapi.json/build output, generated AGENTS.md/llms.txt, and explicit `lesto add mcp-auth` scaffold.
- AI/MCP surfaces are guarded: dev AI endpoint is same-origin token checked and dispatches an allowlisted read-only inspect tool.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/bin.jsView file
107deps.out(`eval: ${failures} of ${evals.length} failed`);
L108: throw new CliError("CLI_EVAL_FAILED", `${failures} eval(s) failed.`, {
L109: failed: failures,
Low
Eval
Package source references a known benign dynamic code generation pattern.
dist/bin.jsView on unpkg · L107bin/lesto.mjsView file
27jsx: { runtime: "automatic", importSource: "react" },
L28: }).import(entry);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
bin/lesto.mjsView on unpkg · L27Findings
3 Medium5 Low
MediumDynamic Requirebin/lesto.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/bin.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings