registry  /  @reddoorla/maintenance  /  0.65.1

@reddoorla/maintenance@0.65.1

Canonical maintenance configs, audits, and recipes for the reddoor stack.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The risky primitives are explicit CLI maintenance/reporting capabilities for Reddoor sites, not install-time or import-time malware.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs reddoor-maint commands or imports exported library functions.
Impact
Can intentionally mutate target repos, install dependencies, run audits, send reports, and update GitHub/Netlify/Airtable/Resend state when invoked with credentials.
Mechanism
User-invoked maintenance automation with subprocesses, project file writes, and service API calls.
Rationale
Static inspection shows an operator maintenance CLI with documented, user-invoked repo mutation and service API integrations, but no lifecycle execution, hidden payload, unrelated exfiltration, persistence, or AI-agent control-surface tampering. Scanner findings are explained by legitimate audits/recipes/reporting features.
Evidence
package.jsonREADME.mddist/cli/bin.jsdist/chunk-6VAL7XJT.jsdist/chunk-HVOOCK6L.jsdist/chunk-ZYBOT5PM.jsdist/chunk-4NAOR44V.jsdist/chunk-PBDZGBGL.jsdist/chunk-IRRZG66U.jsdist/chunk-FH7WQHD7.js~/.config/reddoor-maint/credentials.envpnpm-lock.yaml.github/workflows/ci.yml.github/workflows/renovate.ymlrenovate.jsonsrc/routes/dev/a11y-fixtures/+page.sveltereports/<slug>/draft.html
Network endpoints6
content.airtable.com/v0/api.github.comapi.netlify.com/api/v1/www.googleapis.com/auth/analytics.readonlysearchconsole.googleapis.com/webmasters/v3resend.com/webhooks

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/cli/bin.js calls loadCredentialsIntoEnv() on CLI startup, reading ~/.config/reddoor-maint/credentials.env into process.env.
  • dist/chunk-FH7WQHD7.js dynamically imports user-supplied .js/.mjs fleet inventory files when --fleet is used.
  • dist/chunk-ZYBOT5PM.js and dist/chunk-D3DQFC32.js run pnpm install/up during explicit maintenance recipes.
  • dist/chunk-IRRZG66U.js can write CI/Renovate files, open PRs, and set RENOVATE_TOKEN via GitHub CLI during self-updating command.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; bin is explicit reddoor-maint CLI.
  • README.md documents the same audits, recipes, Airtable/Resend reporting, GitHub/Netlify integrations, and mutation behavior.
  • dist/chunk-HVOOCK6L.js uses child_process.spawn with argument arrays, not shell command strings.
  • Network use is aligned to documented services: Airtable, Resend, GitHub, Netlify, Google APIs, and user-provided site URLs.
  • Credential reads are used as API credentials for package-aligned operations; no source path shows bulk env harvesting or exfiltration to an unrelated host.
  • dist/chunk-4NAOR44V.js validates repo names/URLs and uses git clone -- to reduce argv injection risk.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 86 file(s), 407 KB of source, external domains: api.github.com, api.netlify.com, content.airtable.com, developer.chrome.com, docs.renovatebot.com, github.com, images.prismic.io, player.vimeo.com, reddoor-maintenance.netlify.app, searchconsole.googleapis.com, static.cdn.prismic.io, www.googleapis.com, x.invalid

Source & flagged code

4 flagged · loading source
dist/chunk-4NAOR44V.jsView file
51if (!expected) return; L52: const r = await spawn("git", ["-C", path, "remote", "get-url", "origin"], { L53: timeoutMs: 3e4
High
Child Process

Package source references child process execution.

dist/chunk-4NAOR44V.jsView on unpkg · L51
dist/chunk-FH7WQHD7.jsView file
31if (input.fleet === "airtable") { L32: const { openBase, readAirtableConfig } = await import("./client-EPVO3FEH.js"); L33: const { fromAirtableBase } = await import("./airtable-GGZJUGQB.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-FH7WQHD7.jsView on unpkg · L31
dist/chunk-PBDZGBGL.jsView file
34launchHeading: "LAUNCHED", L35: launchBody: "Your site is live. We've set it up on the Reddoor stack with hosting, security, and automatic maintenance so it stays fast and healthy. Here's what's in place:", L36: launchSetupItems: [ ... L174: <mj-text color="${RED}" font-size="20px" font-weight="700" padding-top="${labelTop}">LIGHTHOUSE SCORES*</mj-text>${rows} L175: <mj-text color="${GREY}" font-family="helvetica, sans-serif" font-size="12px" font-weight="300" padding-top="24px" padding-bottom="${footnoteBottom}" line-height="20px">*A Lighthou... L176: </mj-column> ... L554: const start = bytes[0] === 239 && bytes[1] === 187 && bytes[2] === 191 ? 3 : 0; L555: const head = Buffer.from(bytes.slice(start, start + 64)).toString("ascii").replace(/^[\s]+/, "").toLowerCase(); L556: return head.startsWith("<!doctype html") || head.startsWith("<html") || head.startsWith("<head"); ... L576: async function uploadAttachment(recordId, fieldName, body, filename, contentType) { L577: const apiKey = process.env.AIRTABLE_PAT; L578: const baseId = process.env.AIRTABLE_BASE_ID;
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/chunk-PBDZGBGL.jsView on unpkg · L34
dist/chunk-ZYBOT5PM.jsView file
131await writePackageJson(pkgPath, next); L132: const installResult = await spawn("pnpm", ["install"], { cwd, streaming: true }); L133: if (installResult.code !== 0) { ... L135: kind: "failed", L136: notes: `pnpm install failed (exit ${installResult.code})` L137: };
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/chunk-ZYBOT5PM.jsView on unpkg · L131

Findings

4 High4 Medium5 Low
HighChild Processdist/chunk-4NAOR44V.js
HighShell
HighCredential Exfiltrationdist/chunk-PBDZGBGL.js
HighRuntime Package Installdist/chunk-ZYBOT5PM.js
MediumDynamic Requiredist/chunk-FH7WQHD7.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings