registry  /  @skalfa/skalfa-app-core  /  1.0.11

@skalfa/skalfa-app-core@1.0.11

Core framework engine and foundational utility hook library for the Skalfa Next.js frontend.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The risky primitives are explicit development/frontend utilities rather than install-time or import-time behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit caller import or CLI command invocation
Impact
Runs local project tooling and writes generated app/page.tsx files only when invoked; performs configured frontend API requests.
Mechanism
User-invoked Next.js/dev tooling, blueprint generation, API helper requests
Rationale
Source inspection shows no lifecycle execution and no hidden attack behavior; scanner hits map to explicit development commands and frontend framework utilities. The child_process, filesystem, env, and network use are package-aligned and user/config driven.
Evidence
package.jsondist/index.jsdist/commands/cli.jsdist/commands/blueprint.jsdist/commands/use-pdf.jsdist/api/api.jsdist/cavity/cavity.jsdist/auth/auth.jsdist/encryption/encryption.jsbarrels.jsonutils/commands/stubs/table-blueprint.stubapp/<route>/page.tsxpublic/pdf.worker.min.mjs

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/commands/cli.js exposes user-invoked commands that run shell commands via exec/execSync/spawn shell:true.
  • dist/commands/blueprint.js writes generated app route files from local blueprint JSON and a local stub.
  • dist/api/api.js sends bearer-auth axios requests to NEXT_PUBLIC_API_HOST or caller-supplied url.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks and no bin entry.
  • dist/index.js only exports utility modules; CLI code is not import-time executed.
  • Shell commands are fixed development commands such as next, eslint, tsc, and npx barrelsby, activated by explicit CLI actions.
  • No credential harvesting, hidden exfiltration endpoint, persistence, AI-agent control-surface writes, destructive behavior, or remote code loading found.
  • Network behavior is package-aligned frontend API/socket use driven by app configuration or caller input.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 31 file(s), 66.2 KB of source

Source & flagged code

4 flagged · loading source
dist/commands/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @skalfa/sk[redacted]@1.0.10 matchedIdentity = npm:QHNrYWxmYS9za2FsZmEtYXBwLWNvcmU:1.0.10 similarity = 0.952 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/cli.jsView on unpkg
6import path from "path"; L7: import { exec, execSync, spawn } from "child_process"; L8: // =====================================>
High
Child Process

Package source references child process execution.

dist/commands/cli.jsView on unpkg · L6
109function executeCommand(commandLine) { L110: const child = spawn(commandLine, { stdio: "inherit", shell: true }); L111: child.on("exit", (code) => {
High
Shell

Package source references shell execution.

dist/commands/cli.jsView on unpkg · L109
40try { L41: execSync("npx barrelsby -c barrels.json", { cwd: rootDir, stdio: "inherit" }); L42: logger.info("Barrels successfully generated!");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/cli.jsView on unpkg · L40

Findings

1 Critical3 High2 Medium2 Low
CriticalPrevious Version Dangerous Deltadist/commands/cli.js
HighChild Processdist/commands/cli.js
HighShelldist/commands/cli.js
HighRuntime Package Installdist/commands/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem