registry  /  @storm-software/git-tools  /  2.131.90

@storm-software/git-tools@2.131.90

Tools for managing Git repositories within a Nx workspace.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No automatic install-time attack surface is confirmed. Explicit `storm-prepare` setup can install Lefthook-managed VCS hooks in the current workspace.

Static reason
No blocking static signals were detected.
Trigger
User explicitly runs the `storm-prepare`/prepare CLI command.
Impact
Project Git hooks may be installed; no credential exfiltration, remote payload execution, or AI-agent control mutation was confirmed.
Mechanism
Runs `pnpm lefthook install` to configure repository hooks.
Rationale
No concrete malicious chain is present, but explicit VCS-hook installation is a guarded lifecycle capability that warrants warning under the firewall policy.
Evidence
package.jsonbin/prepare.cjsbin/chunk-J4XLLB7C.cjsbin/pre-install.cjsbin/chunk-SGNASXPC.cjsbin/git.cjs.git/hooks
Network endpoints1
ungh.cc/users/find/${email}

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/prepare.cjs` invokes a hook installer when explicitly run.
  • `bin/chunk-J4XLLB7C.cjs` runs `pnpm lefthook install` outside CI.
  • `bin/pre-install.cjs` can run `npx -y only-allow pnpm` when explicitly invoked.
  • `bin/git.cjs` reads GitHub credentials only for release/API commands.
Evidence against
  • `package.json` contains no npm lifecycle scripts.
  • No AI-agent configuration paths or control-surface writes found.
  • No eval, VM, encoded payload, or remote code-loading path found.
  • Network lookup is a direct `ungh.cc` user-metadata request; GitHub token use is release-command scoped.
  • Hook and shell actions are named CLI commands, not install-time behavior.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 85 file(s), 1010 KB of source, external domains: cli.github.com, developer.stormsoftware.com, docs.stormsoftware.com, github.com, public.storm-cdn.com, stormsoftware.com, ungh.cc, x.com

Source & flagged code

4 flagged · loading source
bin/prepare.cjsView file
Published source reference
Medium
Ai Review Evidence

`bin/prepare.cjs` invokes a hook installer when explicitly run.

bin/prepare.cjsView on unpkg
bin/chunk-J4XLLB7C.cjsView file
Published source reference
Medium
Ai Review Evidence

`bin/chunk-J4XLLB7C.cjs` runs `pnpm lefthook install` outside CI.

bin/chunk-J4XLLB7C.cjsView on unpkg
bin/pre-install.cjsView file
Published source reference
Medium
Ai Review Evidence

`bin/pre-install.cjs` can run `npx -y only-allow pnpm` when explicitly invoked.

bin/pre-install.cjsView on unpkg
bin/git.cjsView file
Published source reference
Medium
Ai Review Evidence

`bin/git.cjs` reads GitHub credentials only for release/API commands.

bin/git.cjsView on unpkg

Findings

6 Medium3 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencebin/prepare.cjs
MediumAi Review Evidencebin/chunk-J4XLLB7C.cjs
MediumAi Review Evidencebin/pre-install.cjs
MediumAi Review Evidencebin/git.cjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings