registry  /  @skalfa/skalfa-app-core  /  1.0.7

@skalfa/skalfa-app-core@1.0.7

Core framework engine and foundational utility hook library for the Skalfa Next.js frontend.

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Risky primitives are explicit developer utilities for barrel generation, blueprint generation, and copying a PDF worker.

Static reason
One or more suspicious static signals were detected.
Trigger
User explicitly imports/runs CLI command helpers or calls exported frontend API/auth/cache utilities.
Impact
May modify local project files or run npx barrelsby only when command code is invoked; no install-time or import-time compromise found.
Mechanism
User-invoked project scaffolding and frontend API helpers
Rationale
Static inspection shows suspicious primitives, but they are package-aligned and require explicit user command invocation; the main import path has no lifecycle, shell, persistence, or hardcoded exfiltration behavior. The package should be treated as clean for firewall purposes.
Evidence
package.jsondist/index.jsdist/commands/cli.jsdist/commands/blueprint.jsdist/commands/use-pdf.jsdist/api/api.jsdist/auth/auth.jsdist/encryption/encryption.jsdist/cavity/cavity.jsbarrels.jsonblueprints/*.blueprint.jsonutils/commands/stubs/table-blueprint.stubapp/<route>/page.tsxpublic/pdf.worker.min.mjs

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/commands/cli.js imports child_process and runs `npx barrelsby -c barrels.json` in explicit barrels commands.
  • dist/commands/blueprint.js writes generated `app/<route>/page.tsx` files from local blueprint JSON and a local stub.
  • dist/commands/use-pdf.js copies `pdf.worker.min.mjs` from project node_modules to public.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts and no bin entry.
  • dist/index.js exports frontend utilities but does not import or run dist/commands/cli.js.
  • dist/api/api.js uses axios only for caller/env-provided API host or URL, with no hardcoded exfiltration endpoint.
  • Environment and cookie usage in dist/auth/auth.js and dist/encryption/encryption.js is app-aligned token storage/encryption, not harvesting.
  • No native binaries, shell scripts, obfuscated payloads, or AI-agent control-surface writes found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chainNo supply-chain packaging signals triggered.
Manifest
NoLicense
scanned 31 file(s), 63.6 KB of source

Source & flagged code

2 flagged · loading source
dist/commands/cli.jsView file
6import path from "path"; L7: import { exec, execSync } from "child_process"; L8: // =====================================>
High
Child Process

Package source references child process execution.

dist/commands/cli.jsView on unpkg · L6
40try { L41: execSync("npx barrelsby -c barrels.json", { cwd: rootDir, stdio: "inherit" }); L42: logger.info("Barrels successfully generated!");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/cli.jsView on unpkg · L40

Findings

3 High2 Medium3 Low
HighChild Processdist/commands/cli.js
HighShell
HighRuntime Package Installdist/commands/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowNo License