registry  /  @starvale-sdk/sts  /  1.1.0

@starvale-sdk/sts@1.1.0

STS CLI - A sleek, fast, and modern custom wrapper for npm

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a user-invoked npm wrapper with license verification, but its exported synchronous verify path has unsafe command-string construction from project package.json fields.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs sts command or code explicitly calls require('@starvale-sdk/sts').verify()
Impact
CLI forwards user commands after license verification; exported verify() may be command-injection-prone with hostile package.json token/licenseKey values.
Mechanism
npm command wrapper plus license verification
Rationale
Source inspection shows the suspicious network and child_process usage are aligned with the documented CLI wrapper/license-check behavior and are not install-time or hidden exfiltration. The unsafe execSync construction and self-dependency justify a warning rather than a malicious block.
Evidence
package.jsonbin/sts.jsREADME.md
Network endpoints1
studio.althar.dev/api/access/verify

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • bin/sts.js exports verify() that builds a node -e command string from package.json token/licenseKey via execSync
  • package.json declares a dependency on @starvale-sdk/sts itself (^1.0.8), an unusual packaging error
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • bin/sts.js network call is a documented license check to studio.althar.dev
  • bin/sts.js CLI spawn forwards user-invoked commands to npm/node with inherited stdio
  • No file writes, persistence, credential harvesting beyond documented token/licenseKey, or hidden payloads found
  • README.md documents token/licenseKey verification before CLI use
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 9.58 KB of source, external domains: studio.althar.dev

Source & flagged code

3 flagged · loading source
bin/sts.jsView file
2L3: const { spawn } = require('child_process'); L4: const fs = require('fs');
High
Child Process

Package source references child process execution.

bin/sts.jsView on unpkg · L2
179console.log('╚═╝ ╩ ╚═╝╚═╝╩═╝╩\x1b[0m'); L180: process.stdout.write('\x1b[36m🔄 Verifying license access...\x1b[0m'); L181: L182: try { L183: const url = `https://studio.althar.dev/api/access/verify?key=${encodeURIComponent(licenseKey)}&token=${encodeURIComponent(token)}`; L184: const script = `const https = require('https'); https.get('${url}', (res) => { let d = ''; res.on('data', c => d += c); res.on('end', () => { process.stdout.write(d); process.exit(... L185: const responseText = require('child_process').execSync(`"${process.execPath}" -e "${script}"`, { encoding: 'utf8' }); L186:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/sts.jsView on unpkg · L179
2L3: const { spawn } = require('child_process'); L4: const fs = require('fs'); L5: const path = require('path'); L6: const https = require('https'); L7: const readline = require('readline'); ... L48: try { L49: const pkgPath = path.join(process.cwd(), 'package.json'); L50: if (fs.existsSync(pkgPath)) { L51: const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8')); L52: if (pkg.scripts && firstArg in pkg.scripts) { ... L98:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/sts.jsView on unpkg · L2

Findings

3 High1 Medium3 Low
HighChild Processbin/sts.js
HighCommand Output Exfiltrationbin/sts.js
HighSandbox Evasion Gated Capabilitybin/sts.js
MediumNetwork
LowScripts Present
LowFilesystem
LowUrl Strings