registry  /  @sigx/lynx-cli  /  0.13.0

@sigx/lynx-cli@0.13.0

Lynx CLI plugin for sigx — config, prebuild, auto-linking

AI Security Review

scanned 20h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Process execution, project-file generation, package installation, and local HTTP/WebSocket serving are explicit CLI development actions.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `sigx` Lynx build, prebuild, device, package, or web-server commands.
Impact
No unconsented install-time execution, credential exfiltration, remote payload loading, persistence, or destructive behavior was found.
Mechanism
Explicit mobile-project scaffolding, builds, and local development serving.
Rationale
Static hints identify normal CLI primitives, but source inspection shows they are command-scoped development functionality. No concrete malicious chain or lifecycle-triggered behavior is present.
Evidence
package.jsondist/index.jsdist/plugin.jsdist/prebuild.jsdist/packages.jsdist/web-server.jsdist/dev-server.jstemplates/android/gradle/wrapper/gradle-wrapper.properties

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/plugin.js` invokes build/device commands only through explicit CLI subcommands.
  • `dist/prebuild.js` imports and executes the project's `signalx.config.*` during explicit prebuild.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • `dist/index.js` is an export entrypoint; no install-time execution path was found.
  • `dist/web-server.js` serves local project assets and binds loopback unless `--host` is explicitly requested.
  • `dist/packages.js` limits its package-manager add flow to user-requested `@sigx/lynx-*` modules.
  • `dist/device-detect.js` reads Android/JDK environment paths for local tooling, not credentials.
  • The bundled Gradle JAR is paired with standard wrapper metadata in `templates/android/gradle/wrapper/gradle-wrapper.properties`.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 46 file(s), 531 KB of source, external domains: github.com, schemas.android.com, www.apple.com

Source & flagged code

9 flagged · loading source
dist/web-server.jsView file
20*/ L21: import { spawn } from 'node:child_process'; L22: import { createServer as createNetServer } from 'node:net';
High
Child Process

Package source references child process execution.

dist/web-server.jsView on unpkg · L20
168logger.log(`Building the web bundle${watchMode ? ' (watching for changes)' : ''}…`); L169: const buildChild = spawn('npx', buildArgs, { cwd, stdio: 'inherit', shell: true }); L170: let buildExit = null;
High
Shell

Package source references shell execution.

dist/web-server.jsView on unpkg · L168
dist/prebuild.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @sigx/lynx-cli@0.12.2 matchedIdentity = npm:QHNpZ3gvbHlueC1jbGk:0.12.2 similarity = 0.911 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/prebuild.jsView on unpkg
195if (foundPath.endsWith('.ts')) { L196: const esbuild = await import('esbuild'); L197: const source = readFileSync(foundPath, 'utf-8');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/prebuild.jsView on unpkg · L195
dist/dev-server.jsView file
730// Start rspeedy in its own process group so we can kill the whole tree L731: // on shutdown (npx spawns npm spawns node, and SIGTERM to the top doesn't L732: // propagate reliably otherwise). L733: // L734: // `shell: true` is avoided because the extra /bin/sh hop plus piped stdin L735: // causes Rspack's file watcher to stop firing (it works when rspeedy is
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/dev-server.jsView on unpkg · L730
templates/android/gradlew.batView file
path = templates/android/gradlew.bat kind = build_helper sizeBytes = 2986 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

templates/android/gradlew.batView on unpkg
templates/android/gradle/wrapper/gradle-wrapper.jarView file
path = [redacted]-wrapper.jar kind = high_entropy_blob sizeBytes = 43583 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

templates/android/gradle/wrapper/gradle-wrapper.jarView on unpkg
path = [redacted]-wrapper.jar kind = compressed_blob sizeBytes = 43583 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

templates/android/gradle/wrapper/gradle-wrapper.jarView on unpkg
path = [redacted]-wrapper.jar kind = nested_archive_needs_inspection sizeBytes = 43583 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

templates/android/gradle/wrapper/gradle-wrapper.jarView on unpkg

Findings

1 Critical4 High6 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/prebuild.js
HighChild Processdist/web-server.js
HighShelldist/web-server.js
HighRuntime Package Installdist/dev-server.js
HighShips High Entropy Blobtemplates/android/gradle/wrapper/gradle-wrapper.jar
MediumDynamic Requiredist/prebuild.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertemplates/android/gradlew.bat
MediumShips Compressed Blobtemplates/android/gradle/wrapper/gradle-wrapper.jar
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiontemplates/android/gradle/wrapper/gradle-wrapper.jar