registry  /  @machinen/runtime  /  0.8.1

@machinen/runtime@0.8.1

The TypeScript API behind machinen. Reach for this when you want to drive microVMs from your own Node.js code instead of through the CLI.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Calling VM boot with networking and no existing gvproxy can fetch and execute a remote helper. This is package-aligned runtime behavior, but the fetched executable is not integrity-verified.

Static reason
One or more suspicious static signals were detected.
Trigger
User code invokes the runtime's VM boot/networking path without a local gvproxy binary.
Impact
A compromised upstream release asset could execute with the invoking user's privileges.
Mechanism
Runtime download, chmod, and spawn of gvproxy
Rationale
No malicious install-time behavior or data theft was found. Warn because runtime remote executable acquisition lacks visible integrity verification and executes with caller privileges.
Evidence
package.jsondist/index.jsREADME.mdAPI.md~/.machinen/gvproxy/v0.8.6/gvproxy
Network endpoints1
github.com/containers/gvisor-tap-vsock/releases/download/${GVPROXY_VERSION}/${assetName}

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` downloads a platform-specific `gvproxy` binary at runtime.
  • Downloaded bytes are written under `~/.machinen`, chmod 0755, then spawned.
  • The download URL has no visible checksum or signature verification.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • Network download is reachable from explicit VM boot/networking behavior, not import time.
  • Process, filesystem, and guest command APIs align with a microVM runtime.
  • No credential harvesting, exfiltration, AI-agent config mutation, or stealth persistence found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 398 KB of source, external domains: github.com, json-schema.org, machinen.dev

Source & flagged code

4 flagged · loading source
dist/index.jsView file
490// src/pty.ts L491: import { spawn } from "child_process"; L492: import { PassThrough } from "stream";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L490
1000* Run `cmd` inside the guest via the exec-agent. The command string L1001: * is passed verbatim to `sh -c` inside the guest, so shell syntax L1002: * (pipes, redirection, env) works.
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L1000
6640req.once("error", fail); L6641: req.write(body); L6642: req.end(); ... L6649: warnedMissing = true; L6650: process.stderr.write( L6651: "machinen: gvproxy not found \u2014 microVM networking is disabled.\n Install: https://github.com/containers/gvisor-tap-vsock/releases\n Or point MACHINEN_GVPROXY at the binary d... L6652: ); ... L6655: // src/nested-virt.ts L6656: import { spawnSync as spawnSync2 } from "child_process"; L6657:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L6640
498var PTY_NAME = "machinen-pty"; L499: var require_ = createRequire(import.meta.url); L500: function resolvePtyShim() {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L498

Findings

3 High3 Medium4 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings