registry  /  @proofkit/cli  /  3.0.2

@proofkit/cli@3.0.2

Interactive CLI to scaffold and manage ProofKit projects

AI Security Review

scanned 15m ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface. The package includes explicit CLI/MCP setup capabilities for its own ProofKit/FileMaker workflow, including Claude Desktop MCP configuration and FileMaker add-on download/open behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs proofkit CLI setup/MCP/add-on commands
Impact
Can modify ProofKit-owned local config/install paths and connect coding agents to local FileMaker bridge when explicitly invoked.
Mechanism
first-party MCP/server and FileMaker add-on setup
Rationale
Static inspection supports a warning for explicit first-party agent/MCP extension lifecycle behavior, but not a malicious block: there is no npm install-time mutation, stealth persistence, credential exfiltration, or unrelated remote code execution chain. The scanner's remote asset concern maps to a user-invoked FileMaker add-on download/open flow aligned with package functionality.
Evidence
package.jsonbin/proofkit.cjsdist/update-check-C6JETpny.jsdist/install-fm-addon-CJt415Nv.jsdist/deploy-html-DN6inlal.jsdist/mcp-CTrK90xI.jstemplate/extras/start-database/postgres.sh~/Library/Application Support/Claude/claude_desktop_config.json~/Library/Application Support/ProofKit/MCP/**~/Downloads/ProofKit/**
Network endpoints3
downloads.ottomatic.cloud/proofkit/manifest.jsonproofkit.proof.sh127.0.0.1:1365

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/update-check-C6JETpny.js computes Claude Desktop config path and MCP server entry for proofkit-mcp.
  • dist/install-fm-addon-CJt415Nv.js downloads FileMaker add-ons from downloads.ottomatic.cloud and writes them under user Downloads/ProofKit.
  • dist/mcp-CTrK90xI.js starts a proofkit-mcp stdio server exposing FileMaker bridge tools.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hook; only prepublishOnly build script.
  • bin/proofkit.cjs only dispatches to bundled platform binary or dist/index.js with PROOFKIT_PKG_ROOT.
  • Remote add-on download verifies sha256 when manifest provides it and is user-invoked, not install-time.
  • Network endpoints are ProofKit/FileMaker-aligned: local FileMaker bridge, proofkit docs/manifest, and Otto/FMS env-configured servers.
  • No credential harvesting or unrelated exfiltration found in inspected entrypoints.
  • template/extras/start-database/postgres.sh is a local dev Docker helper, not auto-run.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 215 file(s), 1.83 MB of source, external domains: 127.0.0.1, api.pwnedpasswords.com, create.t3.gg, dotenvx.com, downloads.ottomatic.cloud, github.com, json-schema.org, ottomatic.cloud, pnpm.io, proof.sh, proofkit.proof.sh, raw.githubusercontent.com, www.w3.org
Oversized source lightweight scan
dist/mcp-CTrK90xI.js3.58 MB file, sampled 256 KB
ChildProcessEnvironmentVarsMinifiedUrlStringsjson-schema.orgwww.w3.org

Source & flagged code

6 flagged · loading source
bin/proofkit.cjsView file
5const path = require("node:path"); L6: const { spawnSync } = require("node:child_process"); L7:
High
Child Process

Package source references child process execution.

bin/proofkit.cjsView on unpkg · L5
5Cross-file remote execution chain: bin/proofkit.cjs spawns dist/index.js; helper contains network access plus dynamic code execution. L5: const path = require("node:path"); L6: const { spawnSync } = require("node:child_process"); L7: ... L26: env: { L27: ...process.env, L28: PROOFKIT_PKG_ROOT: path.resolve(__dirname, ".."), L29: }, ... L43: if (process.env.PROOFKIT_DISABLE_BUNDLED_BINARY !== "1") { L44: const binaryName = BINARIES[process.platform]?.[process.arch]; L45: if (binaryName) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

bin/proofkit.cjsView on unpkg · L5
dist/install-fm-addon-CJt415Nv.jsView file
1import{i as e,n as t,r as n,t as r}from"./rolldown-runtime-DSjMdhoD.js";import{t as i}from"./graceful-fs-VGVzJ4T0.js";import{n as a}from"./open-CrTh9DTC.js";import o from"node:path... L2: `:` ... L4: `,i)}while(r!==-1);return a+=e.slice(i),a}const{stdout:ie,stderr:R}=ne,z=Symbol(`GENERATOR`),B=Symbol(`STYLER`),V=Symbol(`IS_EMPTY`),ae=[`ansi`,`ansi`,`ansi256`,`ansi16m`],oe=Objec... L5: `);return a!==-1&&(t=re(t,i,r,a)),r+t+i};Object.defineProperties(ue.prototype,oe);const ge=ue();ue({level:R?R.level:0});var _e=r(((e,t)=>{t.exports={name:`dotenv`,version:`16.6.1`,... L6: `);let r;for(;(r=c.exec(n))!=null;){let e=r[1],n=r[2]||``;n=n.trim();let i=n[0];n=n.replace(/^(['"`])([\s\S]*)\1$/gm,`$2`),i===`"`&&(n=n.replace(/\\n/g,` L7: `),n=n.replace(/\\r/g,`\r`)),t[e]=n}return t}function u(e){e||={};let t=g(e);e.path=t;let n=C.configDotenv(e);if(!n.parsed){let e=Error(`MISSING_DATA: Cannot parse ${t} for an unkn... L8: ... L49: `,t+1),i=r===-1?``:n.slice(r+1);String(e.stack).endsWith(i)||(e.stack+=` L50: `+n)}}catch{}}throw e}}_request(e,t){typeof e==`string`?(t||={},t.url=e):t=e||{},t=Ma(this.defaults,t);let{transitional:n,paramsSerializer:r,headers:i}=t;n!==void 0&&ao.assertOptio...
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/install-fm-addon-CJt415Nv.jsView on unpkg · L1
Trigger-reachable chain: manifest.exports -> dist/index.js -> dist/install-fm-addon-CJt415Nv.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/install-fm-addon-CJt415Nv.jsView on unpkg
template/extras/start-database/postgres.shView file
path = template/extras/start-database/postgres.sh kind = build_helper sizeBytes = 1941 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

template/extras/start-database/postgres.shView on unpkg
dist/mcp-CTrK90xI.jsView file
path = dist/mcp-CTrK90xI.js kind = oversized_source_file sizeBytes = 3752937 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/mcp-CTrK90xI.jsView on unpkg

Findings

2 Critical3 High5 Medium6 Low
CriticalRemote Asset Decode Executedist/install-fm-addon-CJt415Nv.js
CriticalTrigger Reachable Dangerous Capabilitydist/install-fm-addon-CJt415Nv.js
HighChild Processbin/proofkit.cjs
HighCross File Remote Execution Contextbin/proofkit.cjs
HighOversized Source Filedist/mcp-CTrK90xI.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumShips Build Helpertemplate/extras/start-database/postgres.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings