AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a CLI wrapper that verifies documented project license credentials with a package-aligned endpoint, then forwards user-invoked commands to npm/node.
Decision evidence
public snapshot- bin/sts.js reads token/licenseKey from caller package.json and sends them to https://studio.althar.dev/api/access/verify
- bin/sts.js uses spawn/execSync, but only to run npm/node commands after user invokes the sts CLI or exported verify()
- package.json has no preinstall/install/postinstall lifecycle hooks
- README.md documents license verification against https://studio.althar.dev and required token/licenseKey fields
- bin/sts.js main path gates network call on explicit sts CLI use, with help/version bypass
- bin/sts.js forwards user commands to npm or node with inherited stdio; no hidden payload download or command-output exfiltration found
- No filesystem writes, persistence, destructive actions, eval/vm, native/binary loading, or AI-agent control-surface mutation found
Source & flagged code
3 flagged · loading sourceSource combines command execution, command-output handling, and outbound requests; review data flow before blocking.
bin/sts.jsView on unpkg · L196Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/sts.jsView on unpkg · L2