registry  /  @sqlanvil/core  /  1.19.0

@sqlanvil/core@1.19.0

sqlanvil core API.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a bundled SQL workflow compiler with protobuf definitions and user-invoked compilation/JIT helpers.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports @sqlanvil/core or invokes compiler APIs
Impact
No install-time execution, persistence, credential harvesting, or exfiltration identified.
Mechanism
Package-aligned SQL/protobuf compilation and user-authored JS evaluation
Rationale
Static source inspection found a normal bundled SQLAnvil core compiler package; scanner protestware and network/secret hints map to README/proto schema strings and bundled library code, not attack behavior. Risky primitives such as new Function are user-invoked compiler/JIT functionality and no install-time mutation, network exfiltration, or destructive logic is present.
Evidence
package.jsonbundle.jsREADME.mdcore.protoconfigs.protojit.protodb_adapter.protoextension.protobundle.d.ts

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts or bin; main is bundle.js only.
    • bundle.js exports compiler/indexFileGenerator/jitCompiler/main/session APIs, not install-time code.
    • Only external native require found is require("fs"), used by bundled protobuf loader readFileSync path handling.
    • No child_process, shell execution, network client imports, or exfiltration endpoints found in source inspection.
    • new Function appears in compiler/JIT paths for SQLAnvil user-authored JS/JIT code, aligned with package purpose and runtime-invoked.
    • Protestware hint not supported by source: no Ukraine/Russia/geoip/destructive patterns found.
    Behavioral surface
    Source
    ChildProcessShell
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareTrivialUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 957 KB of source, external domains: github.com

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    1 Critical1 Medium3 Low
    CriticalProtestware
    MediumStructural Risk Force Deep Review
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings