registry  /  @machinen/runtime  /  0.7.1

@machinen/runtime@0.7.1

The TypeScript API behind machinen. Reach for this when you want to drive microVMs from your own Node.js code instead of through the CLI.

AI Security Review

scanned 14d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package exposes a VM runtime that can spawn local helper binaries, manage VM files, and optionally download gvproxy when a user boots networking.

Static reason
One or more suspicious static signals were detected.
Trigger
Import exposes APIs; behavior activates when callers invoke boot, attach, file transfer, snapshot, or related runtime functions.
Impact
Expected VM/runtime side effects only; no evidence of unconsented exfiltration or install-time execution.
Mechanism
User-invoked microVM runtime orchestration
Rationale
Static inspection shows suspicious primitives are package-aligned runtime capabilities for managing microVMs and helper binaries, not hidden install/import behavior. The only external fetch is an explicit gvproxy helper download path used by VM networking setup, with no credential collection or exfiltration flow.
Evidence
package.jsondist/index.jsREADME.mdAPI.md
Network endpoints1
github.com/containers/gvisor-tap-vsock/releases/download/${GVPROXY_VERSION}/${assetName}

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle scripts and exports only dist/index.js.
    • dist/index.js child_process use is in exported VM/runtime APIs: PTY shim, tar file transfer, VMM/gvproxy spawning, native helpers.
    • Dynamic require only resolves platform optional @machinen/native-* helper packages or self-import for restore/fork logic.
    • Only outbound fetch downloads gvproxy v0.8.6 from GitHub during user-invoked VM networking setup, not install/import.
    • Filesystem writes are runtime cache/registry/snapshot artifacts under .machinen/tmp paths, aligned with VM management.
    • No credential harvesting, secret env probes, obfuscated payloads, persistence hooks, or AI-agent control-surface writes found.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 401 KB of source, external domains: github.com, json-schema.org, machinen.dev

    Source & flagged code

    4 flagged · loading source
    dist/index.jsView file
    490// src/pty.ts L491: import { spawn } from "child_process"; L492: import { PassThrough } from "stream";
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L490
    1000* Run `cmd` inside the guest via the exec-agent. The command string L1001: * is passed verbatim to `sh -c` inside the guest, so shell syntax L1002: * (pipes, redirection, env) works.
    High
    Shell

    Package source references shell execution.

    dist/index.jsView on unpkg · L1000
    6925req.once("error", fail); L6926: req.write(body); L6927: req.end(); ... L6934: warnedMissing = true; L6935: process.stderr.write( L6936: "machinen: gvproxy not found \u2014 microVM networking is disabled.\n Install: https://github.com/containers/gvisor-tap-vsock/releases\n Or point MACHINEN_GVPROXY at the binary d... L6937: ); ... L6940: // src/nested-virt.ts L6941: import { spawnSync as spawnSync2 } from "child_process"; L6942:
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/index.jsView on unpkg · L6925
    498var PTY_NAME = "machinen-pty"; L499: var require_ = createRequire(import.meta.url); L500: function resolvePtyShim() {
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/index.jsView on unpkg · L498

    Findings

    3 High3 Medium4 Low
    HighChild Processdist/index.js
    HighShelldist/index.js
    HighCommand Output Exfiltrationdist/index.js
    MediumDynamic Requiredist/index.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings