AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The only execution is a package-aligned, explicit Prisma status command; hooks are read-only checks.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `devaudit prisma migrate-status`.
Impact
May execute Prisma through npx in the consumer project; no package-originated exfiltration, persistence, or destructive action is present.
Mechanism
Runs fixed `npx prisma migrate status` in `ctx.projectPath`.
Rationale
The scanner signal is attributable to a documented, explicit Prisma status helper using fixed arguments. Source inspection found no install-time execution or concrete malicious chain.
Evidence
package.jsondist/plugin.jsREADME.mdprisma/schema.prismaprisma/migrations/
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/plugin.js` invokes `npx prisma migrate status` through `execa`.
- The command runs in caller-supplied `ctx.projectPath`.
Evidence against
- `package.json` has no preinstall, install, or postinstall hooks.
- The subprocess is only registered as explicit `migrate-status` command.
- `dist/plugin.js` uses fixed arguments; no shell, eval, or dynamic loading.
- Only `prisma/schema.prisma` and `prisma/migrations/` are read.
- No credential, environment harvesting, file writes, or network client code found.
- Hooks only inspect Prisma layout and log guidance.
Behavioral surface
FilesystemShell
Source & flagged code
2 flagged · loading sourcedist/plugin.jsView file
1import { execa } from 'execa';
L2: import { promises } from 'fs';
High
30ctx.logger.info(`Running \`npx prisma migrate status\` in ${ctx.projectPath}...`);
L31: const res = await execa("npx", ["prisma", "migrate", "status"], {
L32: cwd: ctx.projectPath,
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/plugin.jsView on unpkg · L30Findings
2 High2 Low
HighShelldist/plugin.js
HighRuntime Package Installdist/plugin.js
LowScripts Present
LowFilesystem