registry  /  @sigx/lynx-cli  /  0.12.2

@sigx/lynx-cli@0.12.2

Lynx CLI plugin for sigx — config, prebuild, auto-linking

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked mobile-development CLI that scaffolds project files, launches local build tools, and serves local development content.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit `sigx lynx` commands such as prebuild, dev, run:web, add/remove, or upgrade.
Impact
Expected modifications are confined to the caller's project and occur after explicit CLI invocation; no unconsented install-time behavior or exfiltration was established.
Mechanism
User-invoked native-project generation, local dev serving, and build/package-manager orchestration.
Rationale
Static source inspection supports a normal CLI/plugin workflow rather than a malicious chain. The flagged primitives are package-aligned and explicitly user-invoked, with no lifecycle execution or concrete data-exfiltration/persistence behavior.
Evidence
package.jsondist/index.jsdist/prebuild.jsdist/dev-server.jsdist/web-server.jstemplates/android/gradle/wrapper/gradle-wrapper.jarsignalx.config.tsandroid/ios/dist/

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/prebuild.js` dynamically imports the caller's `signalx.config.*` during explicit prebuild.
  • `dist/web-server.js` spawns `npx rspeedy build` only for the user-invoked web command.
  • `dist/packages.js` and `dist/upgrade.js` run package-manager commands only from explicit add/remove/upgrade commands.
  • `templates/android/gradle/wrapper/gradle-wrapper.jar` is a Gradle wrapper archive with `org/gradle/wrapper/*` classes.
Evidence against
  • `package.json` contains no preinstall, install, postinstall, or prepare lifecycle hook.
  • `dist/index.js` only exports CLI functionality; no import-time execution chain was found.
  • `dist/dev-server.js` sends reload requests only to `127.0.0.1` on a local dev-server port.
  • No credential harvesting, broad home-directory reads, exfiltration endpoint, eval/vm use, or AI-agent control-surface writes were found.
  • `dist/prebuild.js` writes generated Android/iOS project files only as part of explicit prebuild scaffolding.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 45 file(s), 516 KB of source, external domains: github.com, schemas.android.com, www.apple.com

Source & flagged code

9 flagged · loading source
dist/web-server.jsView file
20*/ L21: import { spawn } from 'node:child_process'; L22: import { createServer as createNetServer } from 'node:net';
High
Child Process

Package source references child process execution.

dist/web-server.jsView on unpkg · L20
168logger.log(`Building the web bundle${watchMode ? ' (watching for changes)' : ''}…`); L169: const buildChild = spawn('npx', buildArgs, { cwd, stdio: 'inherit', shell: true }); L170: let buildExit = null;
High
Shell

Package source references shell execution.

dist/web-server.jsView on unpkg · L168
dist/prebuild.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @sigx/lynx-cli@0.12.0 matchedIdentity = npm:QHNpZ3gvbHlueC1jbGk:0.12.0 similarity = 0.956 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/prebuild.jsView on unpkg
194if (foundPath.endsWith('.ts')) { L195: const esbuild = await import('esbuild'); L196: const source = readFileSync(foundPath, 'utf-8');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/prebuild.jsView on unpkg · L194
dist/dev-server.jsView file
730// Start rspeedy in its own process group so we can kill the whole tree L731: // on shutdown (npx spawns npm spawns node, and SIGTERM to the top doesn't L732: // propagate reliably otherwise). L733: // L734: // `shell: true` is avoided because the extra /bin/sh hop plus piped stdin L735: // causes Rspack's file watcher to stop firing (it works when rspeedy is
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/dev-server.jsView on unpkg · L730
templates/android/gradlew.batView file
path = templates/android/gradlew.bat kind = build_helper sizeBytes = 2986 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/android/gradlew.batView on unpkg
templates/android/gradle/wrapper/gradle-wrapper.jarView file
path = [redacted]-wrapper.jar kind = high_entropy_blob sizeBytes = 43583 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

templates/android/gradle/wrapper/gradle-wrapper.jarView on unpkg
path = [redacted]-wrapper.jar kind = compressed_blob sizeBytes = 43583 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

templates/android/gradle/wrapper/gradle-wrapper.jarView on unpkg
path = [redacted]-wrapper.jar kind = nested_archive_needs_inspection sizeBytes = 43583 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

templates/android/gradle/wrapper/gradle-wrapper.jarView on unpkg

Findings

1 Critical4 High6 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/prebuild.js
HighChild Processdist/web-server.js
HighShelldist/web-server.js
HighRuntime Package Installdist/dev-server.js
HighShips High Entropy Blobtemplates/android/gradle/wrapper/gradle-wrapper.jar
MediumDynamic Requiredist/prebuild.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/android/gradlew.bat
MediumShips Compressed Blobtemplates/android/gradle/wrapper/gradle-wrapper.jar
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiontemplates/android/gradle/wrapper/gradle-wrapper.jar