registry  /  @neetru/cli  /  2.14.0

@neetru/cli@2.14.0

Neetru Developer Kit — scaffold, AI assistant, publish, build e deploy de produtos SaaS Neetru via Core (VM-based agents)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No concrete malicious install-time or stealth behavior was found. The remaining risk is an explicit first-party agent-extension lifecycle capability: user-run marketplace/archive skills commands can populate Claude Code skills from a Neetru GitHub repo.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs neetru marketplace/archive skills install/update or auth/code commands.
Impact
Potential agent extension and credential-handling risk if the user opts into these commands; no unconsented package install-time hijack or exfiltration confirmed.
Mechanism
Explicit CLI-controlled credential reuse, AI gateway context sharing, and Claude skills installation.
Rationale
Source inspection does not support a malicious verdict: no install-time mutation, hidden persistence, credential exfiltration, or remote payload execution was found. Because it can explicitly install first-party Claude skills, warn for agent-extension lifecycle risk rather than block.
Evidence
package.jsondist/index.jsdist/commands/marketplace.jsdist/commands/auth.jsdist/lib/ai/auth-discovery.jsdist/commands/code.jsdist/lib/code-agent-files.jsdist/lib/telemetry.jsdist/lib/url-allowlist.js~/.claude/skills/<skill>~/.neetru/marketplace-cache~/.config/neetru-cli/auth.json~/.config/neetru-cli/mfa-session.json~/.config/neetru-cli/install-id
Network endpoints7
api.neetru.comcore.neetru.comgithub.com/Neetru/neetru-libs.gitgithub.com/Neetru/neetru-libsapi.groq.com/openai/v1integrate.api.nvidia.com/v1generativelanguage.googleapis.com/v1beta/models/

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/commands/marketplace.js clones https://github.com/Neetru/neetru-libs.git and installs skills into ~/.claude/skills via explicit marketplace command.
  • dist/lib/ai/auth-discovery.js reads Claude/Codex/Gemini credential files and env vars; dist/commands/auth.js can copy extracted API keys to Neetru config on auth pull/setup.
  • dist/commands/code.js sends selected cwd file context to /api/cli/v1/ai/chat and can apply AI-proposed patches with confirmation or --yes.
Evidence against
  • package.json has only prepublishOnly; no preinstall/install/postinstall runtime hook.
  • dist/index.js only registers commander subcommands; risky actions are user-invoked, not import/install-time.
  • dist/lib/code-agent-files.js constrains reads to cwd, rechecks realpath symlinks, blocks secret-looking paths, and redacts secret-like lines.
  • dist/lib/config.js and dist/lib/url-allowlist.js restrict neetruApiUrl to Neetru/localhost unless explicit override is used, with warnings.
  • dist/lib/telemetry.js is default-off and sends command metadata/installId only when telemetry.enabled is true.
  • Shell/process execution is aligned with CLI features: git, npm, docker, tar, gcloud, browser open, and git apply for user-requested workflows.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 109 file(s), 1002 KB of source, external domains: api.groq.com, api.neetru.com, cloud.google.com, core.neetru.com, deb.nodesource.com, generativelanguage.googleapis.com, get.docker.com, git-scm.com, github.com, integrate.api.nvidia.com, minhaconta.neetru.com, neetru.com, registry.npmjs.org, sdk.cloud.google.com, storage.googleapis.com

Source & flagged code

7 flagged · loading source
dist/lib/db-pipeline/rehearse.jsView file
68patternName = generic_password severity = medium line = 68 matchedText = password...ev',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/lib/db-pipeline/rehearse.jsView on unpkg · L68
73patternName = generic_password severity = medium line = 73 matchedText = password...ev',
Medium
Secret Pattern

Hardcoded password in dist/lib/db-pipeline/rehearse.js

dist/lib/db-pipeline/rehearse.jsView on unpkg · L73
dist/lib/code-agent-files.jsView file
2import path from 'node:path'; L3: import { spawnSync } from 'node:child_process'; L4: const DEFAULT_IGNORES = new Set([
High
Child Process

Package source references child process execution.

dist/lib/code-agent-files.jsView on unpkg · L2
dist/commands/build.jsView file
216* Detecta se um script npm usa prefixo de variável de ambiente no estilo Unix L217: * (ex: `NODE_ENV=production next build`) que é incompatível com cmd.exe. L218: *
High
Shell

Package source references shell execution.

dist/commands/build.jsView on unpkg · L216
dist/commands/bootstrap.jsView file
8* 1. Verifica binários do sistema (Node, npm, git, gcloud, docker, firebase). L9: * 2. Pra deps Node críticas — auto-install no `cwd` se há `package.json`. L10: * 3. Pra binários do SO — NÃO auto-install (risco em máquinas variadas); ... L24: */ L25: import { spawn, spawnSync } from 'node:child_process'; L26: import * as fsSync from 'node:fs'; ... L36: return null; L37: const out = (r.stdout || r.stderr || '').trim(); L38: // Pega a primeira string que parece versão semver (X.Y.Z) ... L61: return null; L62: const p = process.platform; L63: return installCmd[p] ?? installCmd.linux ?? null;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/bootstrap.jsView on unpkg · L8
dist/lib/ai/auth-discovery.jsView file
284try { L285: execSync(`npm install -g ${npmPackage}`, { stdio: 'inherit' }); L286: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/lib/ai/auth-discovery.jsView on unpkg · L284
dist/commands/code.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @neetru/cli@2.13.1 matchedIdentity = npm:QG5lZXRydS9jbGk:2.13.1 similarity = 0.951 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/code.jsView on unpkg

Findings

1 Critical4 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/commands/code.js
HighChild Processdist/lib/code-agent-files.js
HighShelldist/commands/build.js
HighSandbox Evasion Gated Capabilitydist/commands/bootstrap.js
HighRuntime Package Installdist/lib/ai/auth-discovery.js
MediumSecret Patterndist/lib/db-pipeline/rehearse.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/lib/db-pipeline/rehearse.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings