registry  /  @neetru/cli  /  2.13.1

@neetru/cli@2.13.1

Neetru Developer Kit — scaffold, AI assistant, publish, build e deploy de produtos SaaS Neetru via Core (VM-based agents)

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs neetru archive skills install/update/uninstall or neetru auth setup/pull.
Impact
Can add/update/remove Claude skills and copy AI provider API keys into Neetru CLI config when invoked.
Mechanism
user-invoked agent extension setup and local credential reuse
Rationale
Source inspection shows sensitive but user-invoked CLI capabilities aligned with the package purpose, with no npm install-time mutation or hidden payload behavior. Because it can mutate ~/.claude/skills from a remote repo, warn rather than block.
Evidence
package.jsondist/index.jsdist/commands/archive.jsdist/lib/ai/auth-discovery.jsdist/commands/auth.jsdist/lib/api-client.jsdist/lib/telemetry.jsdist/commands/config.jsdist/commands/deploy.js~/.claude/skills/<skill>~/.neetru/archive-cache~/.config/neetru-cli/mfa-session.json~/.config/neetru-cli/install-id
Network endpoints6
github.com/Neetru/neetru-libs-public.gitapi.neetru.comapi.groq.com/openai/v1integrate.api.nvidia.com/v1generativelanguage.googleapis.com/v1beta/models/registry.npmjs.org/-/package/@neetru/cli/dist-tags

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/commands/archive.js clones https://github.com/Neetru/neetru-libs-public.git and installs/removes entries under ~/.claude/skills via explicit archive skills commands.
  • dist/index.js wires archive skills install/update/uninstall as user-invoked subcommands, not install-time hooks.
  • dist/lib/ai/auth-discovery.js reads ~/.claude/.credentials.json, ~/.codex/auth.json and AI provider env vars, and auth pull/setup can copy API keys into Neetru config.
  • dist/lib/ai/auth-discovery.js can run npm install -g for AI CLIs, but only through interactive auth setup confirmation.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly builds before publishing.
  • dist/lib/telemetry.js states telemetry is default-off and sends only command metadata/installId when enabled.
  • dist/lib/api-client.js defaults to https://api.neetru.com and dist/commands/config.js blocks untrusted neetruApiUrl unless explicitly overridden.
  • dist/commands/deploy.js filters secret-looking env vars and dangerous env keys before deploy requests.
  • No evidence of import-time exfiltration, hidden remote payload execution, persistence, or destructive install behavior.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 103 file(s), 946 KB of source, external domains: api.groq.com, api.neetru.com, cloud.google.com, core.neetru.com, deb.nodesource.com, generativelanguage.googleapis.com, get.docker.com, git-scm.com, github.com, integrate.api.nvidia.com, minhaconta.neetru.com, neetru.com, registry.npmjs.org, sdk.cloud.google.com, storage.googleapis.com

Source & flagged code

7 flagged · loading source
dist/lib/db-pipeline/rehearse.jsView file
68patternName = generic_password severity = medium line = 68 matchedText = password...ev',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/lib/db-pipeline/rehearse.jsView on unpkg · L68
73patternName = generic_password severity = medium line = 73 matchedText = password...ev',
Medium
Secret Pattern

Hardcoded password in dist/lib/db-pipeline/rehearse.js

dist/lib/db-pipeline/rehearse.jsView on unpkg · L73
dist/lib/ai/auth-discovery.jsView file
18*/ L19: import { execSync, execFileSync } from 'node:child_process'; L20: import { existsSync, readFileSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/lib/ai/auth-discovery.jsView on unpkg · L18
284try { L285: execSync(`npm install -g ${npmPackage}`, { stdio: 'inherit' }); L286: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/lib/ai/auth-discovery.jsView on unpkg · L284
dist/commands/build.jsView file
216* Detecta se um script npm usa prefixo de variável de ambiente no estilo Unix L217: * (ex: `NODE_ENV=production next build`) que é incompatível com cmd.exe. L218: *
High
Shell

Package source references shell execution.

dist/commands/build.jsView on unpkg · L216
dist/commands/bootstrap.jsView file
8* 1. Verifica binários do sistema (Node, npm, git, gcloud, docker, firebase). L9: * 2. Pra deps Node críticas — auto-install no `cwd` se há `package.json`. L10: * 3. Pra binários do SO — NÃO auto-install (risco em máquinas variadas); ... L24: */ L25: import { spawn, spawnSync } from 'node:child_process'; L26: import * as fsSync from 'node:fs'; ... L36: return null; L37: const out = (r.stdout || r.stderr || '').trim(); L38: // Pega a primeira string que parece versão semver (X.Y.Z) ... L61: return null; L62: const p = process.platform; L63: return installCmd[p] ?? installCmd.linux ?? null;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/bootstrap.jsView on unpkg · L8
dist/commands/deploy.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @neetru/cli@2.12.22 matchedIdentity = npm:QG5lZXRydS9jbGk:2.12.22 similarity = 0.882 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/deploy.jsView on unpkg

Findings

1 Critical4 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/commands/deploy.js
HighChild Processdist/lib/ai/auth-discovery.js
HighShelldist/commands/build.js
HighSandbox Evasion Gated Capabilitydist/commands/bootstrap.js
HighRuntime Package Installdist/lib/ai/auth-discovery.js
MediumSecret Patterndist/lib/db-pipeline/rehearse.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/lib/db-pipeline/rehearse.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings