registry  /  @skalfa/skalfa-app-core  /  1.0.9

@skalfa/skalfa-app-core@1.0.9

Core framework engine and foundational utility hook library for the Skalfa Next.js frontend.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The risky primitives are user-invoked developer utilities and framework API helpers, not install-time or import-time behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit library API or CLI command invocation by the consuming project.
Impact
Can generate project files or run barrelsby when intentionally invoked; no evidence of unconsented execution or data exfiltration.
Mechanism
Frontend framework utilities, API wrapper, cache/auth helpers, and code generation commands.
Rationale
Static inspection found suspicious primitives, but they are aligned with a Next.js framework package and require explicit user invocation or app configuration. There is no lifecycle execution, import-time payload, credential harvesting, or concrete exfiltration behavior.
Evidence
package.jsondist/index.jsdist/commands/cli.jsdist/commands/use-pdf.jsdist/commands/blueprint.jsdist/api/api.jsdist/auth/auth.jsdist/cavity/cavity.jsdist/encryption/encryption.jsREADME.mdpublic/pdf.worker.min.mjsapp/<route>/page.tsxbarrels.json
Network endpoints1
skalfa.sejedigital.com

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/commands/cli.js imports child_process and runs `npx barrelsby -c barrels.json` only from explicit CLI commands.
  • dist/commands/blueprint.js writes generated Next.js pages under app/<route>/page.tsx when blueprint command is invoked.
  • dist/api/api.js sends axios requests to caller-provided url or NEXT_PUBLIC_API_HOST; auth bearer comes from package auth helper.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks and no bin entry.
  • dist/index.js only re-exports library modules; CLI runCli is not called on import.
  • No obfuscated payloads, native binaries, dynamic require/import, eval/vm, persistence, or destructive file operations found.
  • Network use is package-aligned frontend API/socket functionality driven by environment or caller-provided configuration.
  • Cookie/env usage is limited to app configuration and access-token helper functions, with no exfiltration path.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 31 file(s), 64.1 KB of source

Source & flagged code

2 flagged · loading source
dist/commands/cli.jsView file
6import path from "path"; L7: import { exec, execSync } from "child_process"; L8: // =====================================>
High
Child Process

Package source references child process execution.

dist/commands/cli.jsView on unpkg · L6
40try { L41: execSync("npx barrelsby -c barrels.json", { cwd: rootDir, stdio: "inherit" }); L42: logger.info("Barrels successfully generated!");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/cli.jsView on unpkg · L40

Findings

3 High2 Medium2 Low
HighChild Processdist/commands/cli.js
HighShell
HighRuntime Package Installdist/commands/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem