AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a CLI wrapper that verifies a license token with its service before forwarding user commands to npm or node.
Decision evidence
public snapshot- bin/sts.js reads token/licenseKey from the caller project's package.json and sends them to https://studio.althar.dev/api/access/verify.
- bin/sts.js uses child_process spawn to run npm or node with user-provided CLI arguments.
- bin/sts.js exported verify() uses execSync to run a node -e HTTPS verification helper.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- README.md explicitly documents license verification against https://studio.althar.dev and required token/licenseKey fields.
- bin/sts.js network use is limited to the documented license verification endpoint.
- No filesystem writes, persistence, destructive actions, AI-agent config mutation, native binary loading, or hidden remote payload execution found.
- Command execution is the declared CLI wrapper behavior for npm/scripts and is user-invoked.
Source & flagged code
3 flagged · loading sourceSource combines command execution, command-output handling, and outbound requests; review data flow before blocking.
bin/sts.jsView on unpkg · L192Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/sts.jsView on unpkg · L2