registry  /  @smardaten/sdata-cli  /  1.3.2

@smardaten/sdata-cli@1.3.2

smardaten二次开发插件脚手架

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a user-invoked scaffold CLI that fetches templates and mutates generated project files, with one explicit template execution path in genTemplate.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs scli init, scli install, or scli genTemplate.
Impact
Creates or updates project/template files under the current working directory or package lib temp folder; no install-time impact.
Mechanism
CLI scaffolding via git sparse checkout, project file writes, and optional template generator execution
Rationale
Static inspection shows risky but package-aligned CLI scaffolding behavior activated by explicit user commands, not install/import-time malware. There is no evidence of credential theft, stealth persistence, destructive behavior outside generated paths, or unconsented agent control-surface mutation.
Evidence
package.jsonbin/clilib/init.jslib/install.jslib/genTemplate.jslib/handle/index.jsconfig/datasrouce.js<cwd>/<projectName><cwd>/<projectName>/.git/info/sparse-checkout<cwd>/<projectName>/config.json<cwd>/<projectName>/pluginTemp/config.jsonlib/templib/*scliGenerateTemplate
Network endpoints3
gitee.com/njsmartdata/sdata-plugins.gitgitee.com/njsmartdata/sdata-pluginsgitee.com/njsmartdata/sdata-cli/raw/master/update_log.json

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • lib/genTemplate.js explicitly clones templates then spawns node on downloaded templates/index.js when user runs genTemplate.
  • lib/init.js and lib/install.js run git/npm/open shell commands and write generated project files from user prompts.
  • lib/handle/index.js dynamically requires a user-selected config.json path before rewriting it.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts; code runs via scli commands only.
  • Network use is aligned with scaffold/template features: Gitee template repo and npm version check.
  • No credential/env harvesting, persistence, broad filesystem scanning, stealth, or exfiltration logic found.
  • File writes/removals are scoped to generated project directories, .git sparse checkout metadata, or lib temp template folders.
  • Declared path dependency matches a Node builtin name but source imports path as a builtin and shows no dependency-confusion payload.
Behavioral surface
Source
ChildProcessDynamicRequireFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 23.3 KB of source, external domains: gitee.com

Source & flagged code

2 flagged · loading source
lib/handle/index.jsView file
1const path = require("path"); L2: const chalk = require("chalk");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

lib/handle/index.jsView on unpkg · L1
package.jsonView file
Runtime dependency names matching Node built-ins: path
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighNode Builtin Dependency Squatpackage.json
MediumDynamic Requirelib/handle/index.js
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings