registry  /  @metasession.co/devaudit-cli  /  0.3.5

@metasession.co/devaudit-cli@0.3.5

DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an SDLC onboarding/evidence CLI with user-invoked project file writes, GitHub configuration, uploads, and plugin management.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs devaudit CLI commands such as install, push, auth login, doctor, or plugin install/update.
Impact
Can modify consumer project SDLC files and run npm/git/gh commands when explicitly invoked; no install-time or hidden execution found.
Mechanism
User-directed SDLC scaffolding, evidence upload, GitHub automation, and local plugin management
Rationale
Static inspection confirms the scanner signals are real but package-aligned and activated by explicit CLI commands, not by install/import-time execution. The AI-agent rule-file writes are part of the documented SDLC sync/install workflow and do not establish unconsented lifecycle control-surface mutation.
Evidence
package.jsonbin/devaudit.jsdist/index.jsscripts/upload-evidence.sh~/.config/devaudit/auth.json~/.config/devaudit/pluginssdlc-config.jsonSDLC/.github/ISSUE_TEMPLATE/AGENTS.mdCLAUDE.mdGEMINI.mdINSTRUCTIONS.md.cursorrules.windsurfrules.husky/
Network endpoints4
devaudit.metasession.coapi.github.comuser-configured DEVAUDIT_BASE_URLpresigned uploadUrl returned by DevAudit API

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.js has user-invoked plugin install/update commands that run git clone/pull and npm install.
  • dist/index.js syncAiRules writes AGENTS.md, CLAUDE.md, GEMINI.md, .cursorrules, .windsurfrules, and INSTRUCTIONS.md into target projects.
  • dist/index.js uploads user-selected evidence files with bearer auth to configured DevAudit endpoints.
Evidence against
  • package.json has no install/postinstall/preinstall lifecycle hooks.
  • bin/devaudit.js only imports dist/index.js; behavior is CLI-triggered, not install-time.
  • Network endpoints are package-aligned: https://devaudit.metasession.co and https://api.github.com plus user-configured base URLs.
  • Auth storage is explicit login flow to ~/.config/devaudit/auth.json; env vars are named DEVAUDIT/GitHub tokens.
  • Shell/package-manager use is tied to doctor, install/bootstrap, GitHub, and plugin management commands.
  • No obfuscated payloads, credential harvesting beyond documented tokens, persistence, or destructive behavior found.
Behavioral surface
Source
DynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 146 KB of source, external domains: api.github.com, devaudit.metasession.co, github.com, www.conventionalcommits.org

Source & flagged code

4 flagged · loading source
dist/index.jsView file
3import { createConsola } from 'consola'; L4: import { execa } from 'execa'; L5: import { join, resolve, basename, dirname, relative } from 'path';
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L3
1731} L1732: await execa("npx", ["husky", "init"], { cwd: ctx.projectPath, stdio: "inherit" }); L1733: return { step: "8/11 Bootstrap hook framework", status: "ok", message: ".husky/ bootstrapped" };
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L1731
79const mainPath = resolve(dir, result.main); L80: const mod = await import(toFileUrl(mainPath)); L81: if (!mod.default || typeof mod.default !== "object") {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L79
scripts/upload-evidence.shView file
path = scripts/upload-evidence.sh kind = build_helper sizeBytes = 23340 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/upload-evidence.shView on unpkg

Findings

2 High5 Medium4 Low
HighShelldist/index.js
HighRuntime Package Installdist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/upload-evidence.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings