registry  /  @life-and-dev/mdsite  /  0.5.3

@life-and-dev/mdsite@0.5.3

Local-first CLI that orchestrates mdsite-nuxt

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a local-first documentation-site CLI that initializes project files and runs a bundled Nuxt renderer when the user invokes mdsite commands.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs mdsite init/start/live/generate/static/prepare github
Impact
Creates expected mdsite project/renderer files and may install renderer dependencies or run a local dev/preview server; no credential harvesting, exfiltration, persistence, or AI-agent control-surface mutation found.
Mechanism
CLI-managed renderer setup and Nuxt process orchestration
Rationale
Static inspection shows user-invoked CLI behavior for initializing and serving/generating a local Nuxt-backed markdown site. Suspicious primitives are package-aligned and no install-time execution, exfiltration, destructive behavior, persistence, or AI-agent hijack behavior was found.
Evidence
package.jsonbin/mdsite.jsdist/index.jsdist/commands/init.jsdist/commands/start.jsdist/renderer/mdsite-nuxt.jsdist/process/child-process.jsmdsite-nuxt/scripts/start.tsmdsite-nuxt/scripts/renderer-hooks.tsmdsite-nuxt/package.jsonmdsite-nuxt/nuxt.config.tsmdsite-nuxt/app/plugins/bible-tooltips.client.tsmdsite.yml.nvmrc.gitignore.mdsite/package.json.mdsite/package-lock.json.mdsite/.env.mdsite/content.config.yml.github/workflows/deploy.yml
Network endpoints6
cdn.jsdelivr.net/npm/@mdi/font@7.4.47/css/materialdesignicons.min.cssfonts.googleapis.com/css2?family=Noto+Sans:wght@400;700&display=swapbolls.life/get-text/bolls.life/get-verse/www.biblegateway.com/passage/biblehub.com/interlinear/

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hook; only prepublishOnly test/build verification
    • bin/mdsite.js only imports dist/index.js CLI dispatcher
    • dist/renderer/mdsite-nuxt.js runs npm ci/install only for bundled/configured renderer dependencies during user-invoked CLI commands
    • dist/commands/init.js writes mdsite.yml, .nvmrc, .gitignore, and renderer lockfiles in the current content project without overwriting user config
    • mdsite-nuxt/scripts/start.ts spawns npx nuxt for renderer modes after setup hooks; no remote code fetch beyond package-manager dependency install
    • Network use is package-aligned UI/dev behavior: local browser URLs, Nuxt/font/CDN links, and optional Bible verse API fetches
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 65 file(s), 355 KB of source, external domains: 0.0.0.0, 127.0.0.1, biblehub.com, bolls.life, cdn.jsdelivr.net, example.com, example.test, fonts.googleapis.com, github.com, preview.local, start.local, www.biblegateway.com, www.w3.org

    Source & flagged code

    3 flagged · loading source
    dist/process/child-process.jsView file
    1import { mkdir, open } from 'node:fs/promises'; L2: import { spawn } from 'node:child_process'; L3: import net from 'node:net';
    High
    Child Process

    Package source references child process execution.

    dist/process/child-process.jsView on unpkg · L1
    mdsite-nuxt/scripts/start.tsView file
    46L47: const nuxtProcess = spawn('npx', ['nuxt', nuxtCommand], { L48: cwd: rootDir,
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    mdsite-nuxt/scripts/start.tsView on unpkg · L46
    mdsite-nuxt/nuxt.config.tsView file
    matchType = previous_version_dangerous_delta matchedPackage = @life-and-dev/mdsite@0.5.1 matchedIdentity = npm:QGxpZmUtYW5kLWRldi9tZHNpdGU:0.5.1 similarity = 0.813 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    mdsite-nuxt/nuxt.config.tsView on unpkg

    Findings

    1 Critical3 High3 Medium5 Low
    CriticalPrevious Version Dangerous Deltamdsite-nuxt/nuxt.config.ts
    HighChild Processdist/process/child-process.js
    HighShell
    HighRuntime Package Installmdsite-nuxt/scripts/start.ts
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings