registry  /  @skalfa/skalfa-app-core  /  1.0.10

@skalfa/skalfa-app-core@1.0.10

Core framework engine and foundational utility hook library for the Skalfa Next.js frontend.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Risky primitives are limited to explicit CLI/dev scaffolding commands and normal frontend API helpers.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit import/use of library helpers or manual invocation of exported CLI commands
Impact
May modify consumer project files or run dev/build tools when deliberately invoked; no install-time or import-time compromise found
Mechanism
User-invoked project scaffolding/dev shell commands and env-configured API requests
Rationale
Static inspection found no lifecycle execution, automatic persistence, exfiltration, or foreign AI-agent control-surface writes. The scanner-highlighted child_process and package-manager commands are tied to explicit CLI/dev workflows and package-aligned code generation.
Evidence
package.jsondist/index.jsdist/commands/cli.jsdist/commands/blueprint.jsdist/commands/use-pdf.jsdist/api/api.jsdist/cavity/cavity.jsbarrels.jsonblueprints/*.blueprint.jsonutils/commands/stubs/table-blueprint.stubapp/<route>/page.tsxpublic/pdf.worker.min.mjs

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/commands/cli.js exposes user-invoked shell commands for npx barrelsby, next, tsc, eslint, and concurrently
  • dist/commands/blueprint.js writes generated app/<route>/page.tsx files from local blueprint JSON and stub input
  • dist/api/api.js sends requests to caller/env-provided URL or NEXT_PUBLIC_API_HOST with auth bearer
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks and no bin entry
  • dist/index.js only re-exports library modules and does not run CLI code on import
  • No evidence of credential harvesting, hardcoded exfiltration endpoint, persistence, AI-agent surface mutation, eval/vm, or native/binary loading
  • Network behavior is normal API client/socket cache functionality using caller configuration
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 31 file(s), 66.1 KB of source

Source & flagged code

4 flagged · loading source
dist/commands/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @skalfa/sk[redacted]@1.0.9 matchedIdentity = npm:QHNrYWxmYS9za2FsZmEtYXBwLWNvcmU:1.0.9 similarity = 0.952 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/cli.jsView on unpkg
6import path from "path"; L7: import { exec, execSync, spawn } from "child_process"; L8: // =====================================>
High
Child Process

Package source references child process execution.

dist/commands/cli.jsView on unpkg · L6
109function executeCommand(commandLine) { L110: const child = spawn(commandLine, { stdio: "inherit", shell: true }); L111: child.on("exit", (code) => {
High
Shell

Package source references shell execution.

dist/commands/cli.jsView on unpkg · L109
40try { L41: execSync("npx barrelsby -c barrels.json", { cwd: rootDir, stdio: "inherit" }); L42: logger.info("Barrels successfully generated!");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/cli.jsView on unpkg · L40

Findings

1 Critical3 High2 Medium2 Low
CriticalPrevious Version Dangerous Deltadist/commands/cli.js
HighChild Processdist/commands/cli.js
HighShelldist/commands/cli.js
HighRuntime Package Installdist/commands/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem