registry  /  @starvale-sdk/sts  /  1.1.7

@starvale-sdk/sts@1.1.7

STS CLI - A sleek, fast, and modern custom wrapper for npm

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a CLI npm wrapper that gates commands behind a documented license check.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs sts CLI command or imports module and calls verify().
Impact
Project token/licenseKey are sent to the vendor license endpoint when the user invokes protected CLI actions.
Mechanism
license verification plus npm/node command wrapper
Rationale
The suspicious primitives are package-aligned: documented license verification and user-invoked npm/node command wrapping. There is no install-time execution, stealth persistence, destructive behavior, remote payload execution, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonREADME.mdbin/sts.js
Network endpoints1
studio.althar.dev/api/access/verify

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • bin/sts.js reads token/licenseKey from the caller project's package.json and sends them to studio.althar.dev for license verification.
  • bin/sts.js uses child_process spawn to invoke npm or node for user-requested CLI/script commands.
  • bin/sts.js exported verify() uses execSync to run a node -e HTTPS verification helper, but URL is constructed from local license fields.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Network access is limited to documented license verification endpoint in README.md and bin/sts.js.
  • No code writes files, mutates agent/tool configuration, installs persistence, loads native binaries, or fetches remote executable payloads.
  • CLI command execution is user-invoked and routes to npm/node with inherited stdio; no captured command output is exfiltrated.
  • Only package files present are package.json, README.md, and bin/sts.js.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 11.0 KB of source, external domains: studio.althar.dev

Source & flagged code

3 flagged · loading source
bin/sts.jsView file
2L3: const { spawn } = require('child_process'); L4: const fs = require('fs');
High
Child Process

Package source references child process execution.

bin/sts.jsView on unpkg · L2
199try { L200: const url = `https://studio.althar.dev/api/access/verify?key=${encodeURIComponent(licenseKey)}&token=${encodeURIComponent(token)}`; L201: const script = `const https = require('https'); const readline = require('readline'); const spinnerFrames = ['-', '\\\\', '|', '/']; let frameIndex = 0; let spinnerInterval = null;... L202: const responseText = require('child_process').execSync(`"${process.execPath}" -e "${script.replace(/\r?\n/g, ' ')}"`, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'inherit'] }); L203:
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

bin/sts.jsView on unpkg · L199
2L3: const { spawn } = require('child_process'); L4: const fs = require('fs'); L5: const path = require('path'); L6: const https = require('https'); L7: const readline = require('readline'); ... L49: try { L50: const pkgPath = path.join(process.cwd(), 'package.json'); L51: if (fs.existsSync(pkgPath)) { L52: const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8')); L53: if (pkg.scripts && firstArg in pkg.scripts) { ... L99:
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/sts.jsView on unpkg · L2

Findings

3 High2 Medium3 Low
HighChild Processbin/sts.js
HighCommand Output Exfiltrationbin/sts.js
HighSandbox Evasion Gated Capabilitybin/sts.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings