registry  /  @skalfa/skalfa-app-core  /  1.0.18

@skalfa/skalfa-app-core@1.0.18

Core framework engine and foundational utility hook library for the Skalfa Next.js frontend.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Shell, filesystem, and network primitives are limited to explicit framework CLI actions and caller-configured application API requests.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A user explicitly invokes exported CLI commands or a React consumer calls the API helper.
Impact
Can modify expected project-generated files or execute declared development tooling when explicitly invoked; no install-time execution or covert exfiltration was found.
Mechanism
Project scaffolding/build commands and configurable Axios API requests.
Rationale
Static inspection shows no lifecycle hook or import-time payload. The flagged primitives implement user-invoked framework scaffolding/build operations and caller-configured API requests, not a concrete malicious chain.
Evidence
package.jsondist/index.jsdist/commands/cli.jsdist/commands/use-pdf.jsdist/commands/blueprint.jsdist/api/api.jsdist/auth/auth.jscomponents/index.tsiconsapp/<route>/page.tsxpublic/pdf.worker.min.mjsnode_modules/@skalfa/skalfa-icon/scripts/generate.ts

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/commands/cli.js` uses shell execution, but only inside explicit CLI command handlers.
  • `dist/commands/cli.js` runs `npx barrelsby` and a local icon-generator path during user-invoked build/watch commands.
  • `dist/api/api.js` can send bearer headers to a caller-provided URL or `NEXT_PUBLIC_API_HOST`.
Evidence against
  • `package.json` has no preinstall, install, postinstall, prepare, or bin entrypoint.
  • `dist/index.js` only re-exports modules; importing it does not start the CLI.
  • No eval, VM, dynamic module loading, credential harvesting, destructive deletion, or agent-control writes were found.
  • CLI file writes are scoped to explicit project-generation commands (`components/index.ts`, `app/<route>/page.tsx`, `public/pdf.worker.min.mjs`).
  • Network use is an application API helper configured by caller props/environment, not a fixed exfiltration endpoint.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chainNo supply-chain packaging signals triggered.
Manifest
WildcardDependency
scanned 31 file(s), 72.3 KB of source

Source & flagged code

4 flagged · loading source
dist/commands/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @skalfa/sk[redacted]@1.0.11 matchedIdentity = npm:QHNrYWxmYS9za2FsZmEtYXBwLWNvcmU:1.0.11 similarity = 0.857 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/cli.jsView on unpkg
6import path from "path"; L7: import { exec, execSync, spawn } from "child_process"; L8: import { runBuild as runBuildLang, startDev as startDevLang } from "@skalfa/skalfa-lang/compiler";
High
Child Process

Package source references child process execution.

dist/commands/cli.jsView on unpkg · L6
204function executeCommand(commandLine) { L205: const child = spawn(commandLine, { stdio: "inherit", shell: true }); L206: child.on("exit", (code) => {
High
Shell

Package source references shell execution.

dist/commands/cli.jsView on unpkg · L204
115try { L116: execSync("npx barrelsby -c barrels.json", { cwd: rootDir, stdio: "inherit" }); L117: postProcessBarrels(rootDir);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/cli.jsView on unpkg · L115

Findings

1 Critical3 High3 Medium2 Low
CriticalPrevious Version Dangerous Deltadist/commands/cli.js
HighChild Processdist/commands/cli.js
HighShelldist/commands/cli.js
HighRuntime Package Installdist/commands/cli.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem