registry  /  @oxide/skepsis  /  0.1.0

@oxide/skepsis@0.1.0

> [σκέψις](https://www.perseus.tufts.edu/hopper/text?doc=Perseus:text:1999.04.0057:entry=ske/yis): viewing, perception by the senses. Examination, speculation, consideration.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a user-invoked local diff review CLI with a localhost web UI that runs jj/git and can insert user-authored review comments into source files.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the skepsis bin
Impact
Package-aligned local file reads/writes in the reviewed repository and viewed-state storage; no external data exfiltration observed
Mechanism
local HTTP UI for VCS diff review and comment insertion
Rationale
Scanner hits map to package-aligned git/jj execution, localhost serving, and review-comment file edits in a documented local code review tool. With no lifecycle execution, external endpoints, credential collection, persistence, or AI-agent hijack behavior, this is not malicious.
Evidence
package.jsonREADME.mddist/cli.jscwd/<reviewed file>~/.local/share/skepsis/<cwd-hash>.viewed
Network endpoints1
localhost

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/cli.js starts a local HTTP API and can write review comments into files under the current repo when the UI calls /api/comment.
  • dist/cli.js shells out to jj/git diff/show and reads working-copy files for a local diff review workflow.
Evidence against
  • package.json has no install/postinstall lifecycle hooks; prepack is publish-time only.
  • README.md documents a local browser-based diff review UI with jj/git integration and source-file review comments.
  • dist/cli.js binds to localhost by default and opens a local browser URL; no external exfiltration endpoint was found.
  • process.env use is limited to HOME for ~/.local/share/skepsis viewed-state storage and passing env to dev-mode Vite.
  • No AI-agent control-surface writes, persistence hooks, credential harvesting, remote code loading, or dependency-confusion behavior found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 309 file(s), 10.5 MB of source, external domains: base-ui.com, github.com, json-schema.org, react.dev, www.w3.org

Source & flagged code

7 flagged · loading source
dist/web/assets/index-CA5iKp7g.jsView file
160?|[ L161: \v\f…\u2028\u2029])`),t));else if(c===`posix`)if(!i&&(u===`graph`||u===`print`)){if(r===`strict`)throw Error(`POSIX class "${u}" requires min target ES2024 or non-strict accuracy`)... L162: `)),e}var Zy=Symbol(`no-token`),Qy=Symbol(`multiple-tokens`);function $y(e){let t=eb(e);if(t!=null)return t;let n=Zy,r=[],i=[],a,o=()=>{if(i.length===0||a==null){i=[],a=void 0;retu...
High
Child Process

Package source references child process execution.

dist/web/assets/index-CA5iKp7g.jsView on unpkg · L160
dist/cli.jsView file
1#!/usr/bin/env node L2: import { execFileSync, spawn } from "child_process"; L3: import fs, { existsSync } from "node:fs"; ... L8: import { stripVTControlCharacters } from "node:util"; L9: import { createServer } from "http"; L10: import { Http2ServerRequest, constants } from "http2"; ... L36: * Constructs the CommanderError class L37: * @param {number} exitCode suggested exit code which could be used with process.exit L38: * @param {string} code an id string representing the error ... L177: * @return {string} L178: * @private L179: */
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/cli.jsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/cli.js L1: #!/usr/bin/env node L2: import { execFileSync, spawn } from "child_process"; L3: import fs, { existsSync } from "node:fs"; ... L8: import { stripVTControlCharacters } from "node:util"; L9: import { createServer } from "http"; L10: import { Http2ServerRequest, constants } from "http2"; ... L36: * Constructs the CommanderError class L37: * @param {number} exitCode suggested exit code which could be used with process.exit L38: * @param {string} code an id string representing the error ... L177: * @return {string} L178: * @private L179: */
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.jsView on unpkg · L1
1772if (process$1.versions?.electron) parseOptions.from = "electron"; L1773: const execArgv = process$1.execArgv ?? []; L1774: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) parseOptions.from = "eval";
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L1772
18513try { L18514: new Function(""); L18515: return true;
High
Eval

Package source references dynamic code evaluation.

dist/cli.jsView on unpkg · L18513
22284if (shouldAutoOpen) viteArgs.push("--open"); L22285: const vite = spawn("npx", viteArgs, { L22286: cwd: checkoutRoot, ... L22288: env: { L22289: ...process.env, L22290: API_HOST: hostname, ... L22295: } else if (shouldAutoOpen) { L22296: const url = `http://localhost:${apiPort}`; L22297: const { cmd, args } = urlOpenCommand(url);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L22284
dist/web/assets/javascript-KezPQq9h.jsView file
1import{t as e}from"./index-CA5iKp7g.js";var t=e({default:()=>n}),n=[Object.freeze(JSON.parse(`{"displayName":"JavaScript","name":"javascript","patterns":[{"include":"#directives"},...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/web/assets/javascript-KezPQq9h.jsView on unpkg · L1

Findings

2 Critical4 High4 Medium6 Low
CriticalCommand Output Exfiltrationdist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
HighChild Processdist/web/assets/index-CA5iKp7g.js
HighShelldist/cli.js
HighEvaldist/cli.js
HighSame File Env Network Executiondist/cli.js
MediumDynamic Requiredist/web/assets/javascript-KezPQq9h.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License