AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a user-invoked npm wrapper with license verification, but its exported synchronous verify path has unsafe command-string construction from project package.json fields.
Decision evidence
public snapshot- bin/sts.js exports verify() that builds a node -e command string from package.json token/licenseKey via execSync
- package.json declares a dependency on @starvale-sdk/sts itself (^1.0.8), an unusual packaging error
- package.json has no preinstall/install/postinstall lifecycle hooks
- bin/sts.js network call is a documented license check to studio.althar.dev
- bin/sts.js CLI spawn forwards user-invoked commands to npm/node with inherited stdio
- No file writes, persistence, credential harvesting beyond documented token/licenseKey, or hidden payloads found
- README.md documents token/licenseKey verification before CLI use
Source & flagged code
3 flagged · loading sourceSource combines command execution, command-output handling, and outbound requests; review data flow before blocking.
bin/sts.jsView on unpkg · L179Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/sts.jsView on unpkg · L2