AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI performs user-invoked Stashr API operations and an OAuth browser login.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs the stashr CLI, especially stashr login or bookmark commands.
Impact
Expected account/bookmark operations; no unconsented execution, exfiltration, or persistence was established.
Mechanism
Authenticated Stashr API client with local OAuth token storage.
Rationale
Static signals arise from normal CLI OAuth, browser launching, local token persistence, and API requests. Source inspection found no concrete malicious behavior or install-time execution.
Evidence
package.jsondist/index.jsREADME.md
Network endpoints2
stashr.me127.0.0.1
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall, install, or postinstall hook.
- dist/index.js runs only as the declared stashr CLI entrypoint.
- Network requests implement Stashr API and OAuth flows; no unrelated endpoint is embedded.
- The only child-process use opens the user-requested login URL in a browser.
- Credential storage is a mode-0600 Stashr config file; logout revokes and removes tokens.
- No eval, dynamic payload loading, harvesting, or foreign agent-control writes found.
Behavioral surface
ChildProcessEnvironmentVars
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
13(Did you mean one of ${n.join(", ")}?)`;if(n.length===1)return`
L14: (Did you mean ${n[0]}?)`;return""}we.suggestSimilar=ye});var _t=P(($e)=>{var Se=A("node:events").EventEmitter,v=A("node:child_process"),R=A("node:path"),G=A("node:fs"),k=A("node:pr...
L15: - specify the name in Command constructor or using .name()`);if(e=e||{},e.isDefault)this._defaultCommandName=t._name;if(e.noHelp||e.hidden)t._hidden=!0;return this._registerCommand...
High
13(Did you mean one of ${n.join(", ")}?)`;if(n.length===1)return`
L14: (Did you mean ${n[0]}?)`;return""}we.suggestSimilar=ye});var _t=P(($e)=>{var Se=A("node:events").EventEmitter,v=A("node:child_process"),R=A("node:path"),G=A("node:fs"),k=A("node:pr...
L15: - specify the name in Command constructor or using .name()`);if(e=e||{},e.isDefault)this._defaultCommandName=t._name;if(e.noHelp||e.hidden)t._hidden=!0;return this._registerCommand...
...
L26: Expecting one of '${r.join("', '")}'`);let n=`${t}Help`;return this.on(n,(o)=>{let i;if(typeof e==="function")i=e({error:o.error,command:o.command});else i=e;if(i)o.write(`${i}
L27: `)}),this}_outputHelpIfRequested(t){let e=this._getHelpOption();if(e&&t.find((n)=>e.is(n)))this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)")}}function wt(t){...
L28: `,{mode:384}),await Fe(n,r),await ve(r,384).catch(()=>{return})}import{spawn as ge}from"node:child_process";import{createHash as me,randomBytes as It}from"node:crypto";import{creat...
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L1313(Did you mean one of ${n.join(", ")}?)`;if(n.length===1)return`
L14: (Did you mean ${n[0]}?)`;return""}we.suggestSimilar=ye});var _t=P(($e)=>{var Se=A("node:events").EventEmitter,v=A("node:child_process"),R=A("node:path"),G=A("node:fs"),k=A("node:pr...
L15: - specify the name in Command constructor or using .name()`);if(e=e||{},e.isDefault)this._defaultCommandName=t._name;if(e.noHelp||e.hidden)t._hidden=!0;return this._registerCommand...
...
L26: Expecting one of '${r.join("', '")}'`);let n=`${t}Help`;return this.on(n,(o)=>{let i;if(typeof e==="function")i=e({error:o.error,command:o.command});else i=e;if(i)o.write(`${i}
L27: `)}),this}_outputHelpIfRequested(t){let e=this._getHelpOption();if(e&&t.find((n)=>e.is(n)))this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)")}}function wt(t){...
L28: `,{mode:384}),await Fe(n,r),await ve(r,384).catch(()=>{return})}import{spawn as ge}from"node:child_process";import{createHash as me,randomBytes as It}from"node:crypto";import{creat...
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L13Findings
3 High1 Medium4 Low
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License