registry  /  @loxtep/sdk  /  0.4.0

@loxtep/sdk@0.4.0

Loxtep SDK for Node.js — the Enterprise Context Layer: data products, flows, projects, queues, and machine-usable context for AI

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `loxtep init --template <slug>` in a project directory.
Impact
A user-invoked project setup can direct compatible agents toward the Loxtep MCP service; no stealth, install-time mutation, or exfiltration chain was confirmed.
Mechanism
Explicit CLI writes project-local AI-agent configuration and scaffolding.
Rationale
Source inspection found no concrete malicious behavior or unconsented lifecycle mutation. The explicit agent-configuration scaffold remains a guarded capability risk, so downgrade to warn rather than block or clean.
Evidence
package.jsondist/cli/commands/init-cmd.jsdist/auth/browser-login.jsdist/http/client.jsdist/cli/commands/test-cmd.jsdist/cli/commands/deploy-cmd.jsdist/cli/project-context.jsdist/cli/credentials.jsdist/config/paths.jsdist/config/save.js
Network endpoints3
api.loxtep.ioapp.loxtep.iomcp.loxtep.io/ai/mcp/stream

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `loxtep init --template` writes project-root `AGENTS.md` containing an `mcpServers` entry for Loxtep.
  • The same explicit init path writes `.loxtep/skills/<template>.yaml` with read/write workflow permissions.
  • Browser login starts a localhost callback and launches a user browser via `child_process.exec`.
  • `test` and `deploy` dynamically import workflow files from the user project.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook; only `prepublishOnly` builds before publishing.
  • Agent-related files are created only by explicit `loxtep init --template`, not on install or import.
  • Credential/config writes are limited to `~/.loxtep` and are invoked by login/config commands.
  • HTTP requests use configured Loxtep API URLs and authenticated SDK operations; no harvesting/exfiltration path was found.
  • No `eval`, VM, binary/native loader, destructive broad filesystem action, or hidden persistence was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 140 file(s), 400 KB of source, external domains: api.loxtep.io, app.loxtep.io, docs.loxtep.io, mcp.loxtep.io

Source & flagged code

1 flagged · loading source
dist/cli/commands/test-cmd.jsView file
198// Use dynamic import; for .ts files this requires a loader (tsx, ts-node, etc.) L199: const mod = await import(candidate); L200: // The module should export a default or named `workflow` that is a DataWorkflowModule
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/commands/test-cmd.jsView on unpkg · L198

Findings

4 Medium5 Low
MediumDynamic Requiredist/cli/commands/test-cmd.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings