registry  /  @skalfa/skalfa-api-core  /  1.0.13

@skalfa/skalfa-api-core@1.0.13

Core framework engine and foundational utilities for the Skalfa API backend.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Risky primitives are framework CLI/database/code-generation features activated by explicit user commands, not install-time behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit CLI/framework method invocation by the user or application
Impact
Can modify project files or databases as documented framework operations, including destructive fresh migrations when explicitly run
Mechanism
user-invoked shell/database/code-generation utilities
Rationale
Static inspection found potentially dangerous primitives, but they are package-aligned framework commands and database migration helpers with no lifecycle trigger, exfiltration, persistence, or foreign agent control-surface mutation. The scanner hints are explained by user-invoked CLI behavior rather than malicious package behavior.
Evidence
package.jsondist/index.jsdist/commands/cli.jsdist/commands/runner/barrels.jsdist/commands/runner/migration.jsdist/commands/runner/da-migration.jsdist/commands/runner/blueprint/runner.js
Network endpoints3
127.0.0.1:8123DB_HOST:DB_PORT from environmentDA_HOST:DA_PORT from environment

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/commands/cli.js exposes user-invoked commands that spawn shell commands with shell:true
  • dist/commands/runner/barrels.js runs bunx barrelsby when barrels/watch:barrels CLI actions are invoked
  • dist/commands/runner/migration.js and da-migration.js dynamically import project migration files and can drop database tables on explicit fresh commands
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and no bin entry
  • dist/index.js only re-exports modules; no network, shell, or file mutation occurs on import beyond module initialization
  • Network/database endpoints are local or env-configured DB targets, not hardcoded exfiltration endpoints
  • Project file writes are framework code generation/storage/logging paths under app, database, storage, docs, or blueprints
  • No AI-agent control-surface writes, credential harvesting, persistence, or remote payload loading found
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 150 file(s), 332 KB of source, external domains: schema.getpostman.com

Source & flagged code

5 flagged · loading source
dist/commands/runner/da-migration.jsView file
163} L164: async exec(query) { L165: if (!daClient) {
High
Child Process

Package source references child process execution.

dist/commands/runner/da-migration.jsView on unpkg · L163
31// @ts-ignore L32: const { createClient } = await import("@clickhouse/client"); L33: let dac = createClient({
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/commands/runner/da-migration.jsView on unpkg · L31
dist/commands/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @skalfa/sk[redacted]@1.0.9 matchedIdentity = npm:QHNrYWxmYS9za2FsZmEtYXBpLWNvcmU:1.0.9 similarity = 0.900 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/cli.jsView on unpkg
85function executeCommand(commandLine) { L86: const child = spawn(commandLine, { stdio: "inherit", shell: true }); L87: child.on("exit", (code) => {
High
Shell

Package source references shell execution.

dist/commands/cli.jsView on unpkg · L85
dist/commands/runner/barrels.jsView file
19try { L20: execSync("bunx barrelsby -c barrels.json", { cwd: rootDir, stdio: "inherit" }); L21: logger.info("Barrels successfully generated!");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/runner/barrels.jsView on unpkg · L19

Findings

1 Critical3 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/commands/cli.js
HighChild Processdist/commands/runner/da-migration.js
HighShelldist/commands/cli.js
HighRuntime Package Installdist/commands/runner/barrels.js
MediumDynamic Requiredist/commands/runner/da-migration.js
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings