registry  /  @machinen/runtime  /  0.8.0

@machinen/runtime@0.8.0

The TypeScript API behind machinen. Reach for this when you want to drive microVMs from your own Node.js code instead of through the CLI.

AI Security Review

scanned 10h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime process execution, VM registry writes, and the gvproxy download occur only through explicit microVM boot/networking operations.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer calls the runtime boot/networking APIs.
Impact
Can execute configured VM helpers and download a networking sidecar required for the requested VM feature; no unconsented host-control mutation found.
Mechanism
User-invoked microVM helper execution and gvproxy cache download.
Rationale
The flagged primitives implement the documented microVM runtime and are activated by consumer runtime calls, not installation or import. Source inspection found no concrete malicious chain or unconsented control-surface mutation.
Evidence
package.jsonREADME.mddist/index.jsdist/index.d.ts~/.machinen/gvproxy/v0.8.6/gvproxy~/.machinen/vms
Network endpoints1
github.com/containers/gvisor-tap-vsock/releases/download/${GVPROXY_VERSION}/${assetName}

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/index.js` downloads a `gvproxy` release binary during VM networking setup.
  • `dist/index.js` uses child processes to launch VM helpers and user-requested guest commands.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • `README.md` and `dist/index.js` consistently identify the package as a microVM runtime.
  • Network download is limited to the explicit GitHub gvproxy release URL.
  • Dynamic requires select matching declared `@machinen/native-*` optional dependencies.
  • No credential harvesting, exfiltration, AI-agent config access, eval, or import-time execution found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 398 KB of source, external domains: github.com, json-schema.org, machinen.dev

Source & flagged code

4 flagged · loading source
dist/index.jsView file
490// src/pty.ts L491: import { spawn } from "child_process"; L492: import { PassThrough } from "stream";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L490
1000* Run `cmd` inside the guest via the exec-agent. The command string L1001: * is passed verbatim to `sh -c` inside the guest, so shell syntax L1002: * (pipes, redirection, env) works.
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L1000
6640req.once("error", fail); L6641: req.write(body); L6642: req.end(); ... L6649: warnedMissing = true; L6650: process.stderr.write( L6651: "machinen: gvproxy not found \u2014 microVM networking is disabled.\n Install: https://github.com/containers/gvisor-tap-vsock/releases\n Or point MACHINEN_GVPROXY at the binary d... L6652: ); ... L6655: // src/nested-virt.ts L6656: import { spawnSync as spawnSync2 } from "child_process"; L6657:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L6640
498var PTY_NAME = "machinen-pty"; L499: var require_ = createRequire(import.meta.url); L500: function resolvePtyShim() {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L498

Findings

3 High3 Medium4 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings