registry  /  @starvale-sdk/sts  /  1.1.1

@starvale-sdk/sts@1.1.1

STS CLI - A sleek, fast, and modern custom wrapper for npm

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a CLI wrapper that verifies a license token with its service before forwarding user commands to npm or node.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the sts CLI or imports the module and calls verify().
Impact
Project package.json token/licenseKey are sent to the vendor verification endpoint; user-requested npm/node commands may run.
Mechanism
documented license verification plus npm command forwarding
Rationale
The suspicious primitives are package-aligned: documented license verification and a CLI wrapper around npm/scripts. With no lifecycle hook, hidden persistence, credential harvesting beyond the stated license fields, or unconsented control-surface mutation, this should not be blocked.
Evidence
package.jsonREADME.mdbin/sts.jsprocess.cwd()/package.jsonbin/../package.json
Network endpoints1
studio.althar.dev/api/access/verify

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • bin/sts.js reads token/licenseKey from the caller project's package.json and sends them to https://studio.althar.dev/api/access/verify.
  • bin/sts.js uses child_process spawn to run npm or node with user-provided CLI arguments.
  • bin/sts.js exported verify() uses execSync to run a node -e HTTPS verification helper.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • README.md explicitly documents license verification against https://studio.althar.dev and required token/licenseKey fields.
  • bin/sts.js network use is limited to the documented license verification endpoint.
  • No filesystem writes, persistence, destructive actions, AI-agent config mutation, native binary loading, or hidden remote payload execution found.
  • Command execution is the declared CLI wrapper behavior for npm/scripts and is user-invoked.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 9.98 KB of source, external domains: studio.althar.dev

Source & flagged code

3 flagged · loading source
bin/sts.jsView file
2L3: const { spawn } = require('child_process'); L4: const fs = require('fs');
High
Child Process

Package source references child process execution.

bin/sts.jsView on unpkg · L2
192console.log(`\x1b[90mVersion : ${version}\x1b[0m\n`); L193: process.stdout.write('\x1b[36m🔄 Verifying license access...\x1b[0m'); L194: L195: try { L196: const url = `https://studio.althar.dev/api/access/verify?key=${encodeURIComponent(licenseKey)}&token=${encodeURIComponent(token)}`; L197: const script = `const https = require('https'); https.get('${url}', (res) => { let d = ''; res.on('data', c => d += c); res.on('end', () => { process.stdout.write(d); process.exit(... L198: const responseText = require('child_process').execSync(`"${process.execPath}" -e "${script}"`, { encoding: 'utf8' }); L199:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/sts.jsView on unpkg · L192
2L3: const { spawn } = require('child_process'); L4: const fs = require('fs'); L5: const path = require('path'); L6: const https = require('https'); L7: const readline = require('readline'); ... L48: try { L49: const pkgPath = path.join(process.cwd(), 'package.json'); L50: if (fs.existsSync(pkgPath)) { L51: const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8')); L52: if (pkg.scripts && firstArg in pkg.scripts) { ... L98:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/sts.jsView on unpkg · L2

Findings

3 High2 Medium3 Low
HighChild Processbin/sts.js
HighCommand Output Exfiltrationbin/sts.js
HighSandbox Evasion Gated Capabilitybin/sts.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings