registry  /  @life-and-dev/mdsite  /  0.6.0

@life-and-dev/mdsite@0.6.0

Local-first CLI that orchestrates mdsite-nuxt

AI Security Review

scanned 15h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The risky primitives are explicit CLI operations for a local-first Markdown/Nuxt site generator.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs mdsite CLI commands such as init, live/start, generate, static/preview, prepare github, clean, or stop
Impact
Creates and manages mdsite project/renderer files and may start local Nuxt processes; no evidence of unauthorized persistence, exfiltration, or install-time execution
Mechanism
user-invoked renderer setup, dependency install, local server process management, and content asset generation
Rationale
Static inspection shows a CLI that prepares and runs a bundled Nuxt renderer, with potentially sensitive primitives only behind explicit user commands and aligned with documented package behavior. There is no install-time execution, credential access, exfiltration, unauthorized persistence, or foreign AI-agent control-surface mutation.
Evidence
package.jsonbin/mdsite.jsdist/index.jsdist/renderer/mdsite-nuxt.jsdist/process/child-process.jsdist/commands/init.jsdist/commands/start.jsdist/commands/preview.jsdist/commands/generate.jsdist/commands/prepare.jsmdsite-nuxt/scripts/start.tsmdsite-nuxt/scripts/renderer-hooks.tsmdsite.yml.nvmrc.gitignore.github/workflows/deploy.yml<config.server.path>/content.config.yml<config.server.path>/.env<config.server.path>/live.json<config.server.path>/static.json<config.server.path>/live.log<config.server.path>/static.log<config.server.output>/
Network endpoints6
bolls.life/get-text/bolls.life/get-verse/www.biblegateway.com/passage/biblehub.com/interlinear/cdn.jsdelivr.net/npm/@mdi/font@7.4.47/css/materialdesignicons.min.cssfonts.googleapis.com/css2?family=Noto+Sans:wght@400;700&display=swap

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/renderer/mdsite-nuxt.js runs npm ci/install for bundled renderer dependencies when mdsite start/generate/preview is invoked
  • dist/process/child-process.js can spawn foreground/background npm renderer commands and open local URLs
  • mdsite-nuxt/app/plugins/bible-tooltips.client.ts fetches Bible text from bolls.life and links to BibleGateway
Evidence against
  • package.json has no install/postinstall/prepare lifecycle hook; prepublishOnly is publisher-side only
  • bin/mdsite.js only imports dist/index.js, which dispatches explicit CLI commands
  • Project writes are package-aligned: mdsite.yml, .nvmrc, .gitignore managed block, renderer .env/content.config.yml/runtime logs/state
  • No credential harvesting, secret-file reads, exfiltration endpoints, eval/Function, native binary loading, or AI-agent control-surface writes found
  • Network exposure is opt-in via mdsite live/static --host and otherwise local Nuxt preview/dev workflow
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 66 file(s), 353 KB of source, external domains: 0.0.0.0, 127.0.0.1, biblehub.com, bolls.life, cdn.jsdelivr.net, example.com, example.test, fonts.googleapis.com, github.com, preview.local, start.local, www.biblegateway.com, www.w3.org

Source & flagged code

3 flagged · loading source
dist/process/child-process.jsView file
1import { mkdir, open } from 'node:fs/promises'; L2: import { spawn } from 'node:child_process'; L3: import net from 'node:net';
High
Child Process

Package source references child process execution.

dist/process/child-process.jsView on unpkg · L1
mdsite-nuxt/scripts/start.tsView file
45L46: const nuxtProcess = spawn('npx', ['nuxt', nuxtCommand], { L47: cwd: rootDir,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

mdsite-nuxt/scripts/start.tsView on unpkg · L45
mdsite-nuxt/scripts/start.test.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @life-and-dev/mdsite@0.5.3 matchedIdentity = npm:QGxpZmUtYW5kLWRldi9tZHNpdGU:0.5.3 similarity = 0.754 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

mdsite-nuxt/scripts/start.test.tsView on unpkg

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltamdsite-nuxt/scripts/start.test.ts
HighChild Processdist/process/child-process.js
HighShell
HighRuntime Package Installmdsite-nuxt/scripts/start.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings