registry  /  @skalfa/skalfa-api-core  /  1.0.24

@skalfa/skalfa-api-core@1.0.24

Core and Foundational utilities for the Skalfa API Framework.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious or install-time attack surface. Potentially destructive operations are explicit framework CLI migration commands against the caller-configured project database.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A consumer explicitly calls `runCli()` and selects migration or generator commands.
Impact
Can write generated project files or reset configured database tables only through named user commands.
Mechanism
User-invoked CLI scaffolding, migration loading, and local database administration.
Rationale
The flagged primitives are confined to explicit framework CLI features and project-controlled migration loading; import and installation do not execute them. Source inspection found no credential harvesting, exfiltration, stealth persistence, or AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/commands/cli.jsdist/commands/runner/barrels.jsdist/commands/runner/migration.jsdist/commands/runner/da-migration.jsbarrels.jsondatabase/migrationsanalytic/migrations
Network endpoints1
127.0.0.1:8123

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/commands/cli.js` uses shell-backed `spawn` only in explicit development/test/lint CLI commands.
  • `dist/commands/runner/barrels.js` runs `bunx barrelsby` only when its named CLI commands are invoked.
  • `dist/commands/runner/da-migration.js` dynamically imports project migration files and has an explicit destructive fresh-migration command.
  • `dist/commands/runner/migration.js` has an explicit `migrate:fresh` path that drops the project database schema.
Evidence against
  • `package.json` has no preinstall, install, postinstall, prepare, or bin entry.
  • `dist/index.js` only re-exports modules; it does not call `runCli` or execute commands on import.
  • No source references AI-agent control files, credential stores, or remote exfiltration APIs.
  • ClickHouse access is an explicitly configured migration feature with a localhost default.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 150 file(s), 337 KB of source, external domains: schema.getpostman.com

Source & flagged code

5 flagged · loading source
dist/commands/runner/da-migration.jsView file
163} L164: async exec(query) { L165: if (!daClient) {
High
Child Process

Package source references child process execution.

dist/commands/runner/da-migration.jsView on unpkg · L163
31// @ts-ignore L32: const { createClient } = await import("@clickhouse/client"); L33: let dac = createClient({
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/commands/runner/da-migration.jsView on unpkg · L31
dist/commands/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @skalfa/sk[redacted]@1.0.23 matchedIdentity = npm:QHNrYWxmYS9za2FsZmEtYXBpLWNvcmU:1.0.23 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/cli.jsView on unpkg
87function executeCommand(commandLine) { L88: const child = spawn(commandLine, { stdio: "inherit", shell: true }); L89: child.on("exit", (code) => {
High
Shell

Package source references shell execution.

dist/commands/cli.jsView on unpkg · L87
dist/commands/runner/barrels.jsView file
19try { L20: execSync("bunx barrelsby -c barrels.json", { cwd: rootDir, stdio: "inherit" }); L21: logger.info("Barrels successfully generated!");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/runner/barrels.jsView on unpkg · L19

Findings

1 Critical3 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/commands/cli.js
HighChild Processdist/commands/runner/da-migration.js
HighShelldist/commands/cli.js
HighRuntime Package Installdist/commands/runner/barrels.js
MediumDynamic Requiredist/commands/runner/da-migration.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings