AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The risky primitives are CLI features for scaffolding SASjs projects, generating docs, and calling user-configured SASjs servers.
Decision evidence
public snapshot- package.json has prepare script: git rev-parse --git-dir && git config core.hooksPath ./.git-hooks || true
- build/utils/utils.js uses shelljs.exec for wget/curl/powershell downloads and npm install during sasjs create
- build/commands/docs/generateDocs.js builds a shell command to run doxygen with project-derived paths
- build/index.js only dispatches CLI args to ./cli; no import-time payload observed
- Network activity is tied to user-invoked SASjs create/docs/server commands and SASjs/GitHub/user target URLs
- Runtime npm install occurs after explicit sasjs create scaffolding, inside the requested project folder
- Env reads load local .env/.env.target for SAS credentials but no exfiltration sink was found
- No AI-agent control-surface files or foreign agent config writes found
Source & flagged code
7 flagged · loading sourcePackage source references child process execution.
build/commands/create/spec/create.spec.jsView on unpkg · L60Package source invokes a package manager install command at runtime.
build/utils/utils.jsView on unpkg · L326This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
build/commands/docs/generateDocs.jsView on unpkgHardcoded password in build/commands/add/spec/addTarget.spec.js
build/commands/add/spec/addTarget.spec.jsView on unpkg · L237Hardcoded password in build/commands/add/spec/addTarget.spec.js
build/commands/add/spec/addTarget.spec.jsView on unpkg · L359Hardcoded password in build/commands/job/spec/jobCommand.spec.js
build/commands/job/spec/jobCommand.spec.jsView on unpkg · L114