registry  /  @starvale-sdk/sts  /  1.1.6

@starvale-sdk/sts@1.1.6

STS CLI - A sleek, fast, and modern custom wrapper for npm

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a CLI wrapper that verifies documented project license credentials with a package-aligned endpoint, then forwards user-invoked commands to npm/node.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs sts CLI with a non-help command or imports module and calls verify()
Impact
License token/key are transmitted to the vendor verification endpoint; user-requested npm/node commands execute normally.
Mechanism
documented license verification and npm command wrapper
Rationale
The suspicious primitives are aligned with the advertised CLI wrapper and license-checking behavior, and there is no install-time execution or hidden exfiltration/persistence path. The only outbound data flow is documented license verification to the vendor endpoint during user-invoked runtime.
Evidence
package.jsonbin/sts.jsREADME.md<cwd>/package.json
Network endpoints1
studio.althar.dev/api/access/verify

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • bin/sts.js reads token/licenseKey from caller package.json and sends them to https://studio.althar.dev/api/access/verify
  • bin/sts.js uses spawn/execSync, but only to run npm/node commands after user invokes the sts CLI or exported verify()
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • README.md documents license verification against https://studio.althar.dev and required token/licenseKey fields
  • bin/sts.js main path gates network call on explicit sts CLI use, with help/version bypass
  • bin/sts.js forwards user commands to npm or node with inherited stdio; no hidden payload download or command-output exfiltration found
  • No filesystem writes, persistence, destructive actions, eval/vm, native/binary loading, or AI-agent control-surface mutation found
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 10.5 KB of source, external domains: studio.althar.dev

Source & flagged code

3 flagged · loading source
bin/sts.jsView file
2L3: const { spawn } = require('child_process'); L4: const fs = require('fs');
High
Child Process

Package source references child process execution.

bin/sts.jsView on unpkg · L2
196try { L197: const url = `https://studio.althar.dev/api/access/verify?key=${encodeURIComponent(licenseKey)}&token=${encodeURIComponent(token)}`; L198: const script = `const https = require('https'); const readline = require('readline'); const spinnerFrames = ['-', '\\\\', '|', '/']; let frameIndex = 0; let spinnerInterval = null;... L199: const responseText = require('child_process').execSync(`"${process.execPath}" -e "${script.replace(/\r?\n/g, ' ')}"`, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'inherit'] }); L200:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/sts.jsView on unpkg · L196
2L3: const { spawn } = require('child_process'); L4: const fs = require('fs'); L5: const path = require('path'); L6: const https = require('https'); L7: const readline = require('readline'); ... L49: try { L50: const pkgPath = path.join(process.cwd(), 'package.json'); L51: if (fs.existsSync(pkgPath)) { L52: const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8')); L53: if (pkg.scripts && firstArg in pkg.scripts) { ... L99:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/sts.jsView on unpkg · L2

Findings

3 High2 Medium3 Low
HighChild Processbin/sts.js
HighCommand Output Exfiltrationbin/sts.js
HighSandbox Evasion Gated Capabilitybin/sts.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings