registry  /  @treeseed/sdk  /  0.12.10

@treeseed/sdk@0.12.10

Shared Treeseed SDK for content-backed and D1-backed object models.

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. Risky primitives are tied to Treeseed SDK deployment, verification, dependency setup, scene rendering, and secret-management commands that require explicit user/runtime invocation.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit import/API call or treeseed-sdk-verify execution, not package install.
Impact
Could run package-aligned tooling and write Treeseed project config when invoked, but no unconsented install-time execution or exfiltration was found.
Mechanism
User-invoked SDK tooling for verification, deployment, managed dependencies, and secrets.
Rationale
The package contains broad deployment and automation capabilities, but inspected code ties them to documented Treeseed SDK workflows and explicit commands rather than install/import-time abuse. I found no concrete credential harvesting, covert exfiltration, persistence, destructive lifecycle hook, dependency confusion, or AI-agent control hijack behavior.
Evidence
package.jsonscripts/verify-driver.tsdist/verification.jsdist/managed-dependencies.jsdist/operations/services/config-runtime.jsdist/scenes/seed.jsdist/service-credentials.js.treeseed/config/machine.yaml.treeseed/config/machine.key.treeseed/config/remote-auth.json.treeseed/worktree.jsontreeseed/cache/template-catalog.json
Network endpoints5
api.treeseed.devapi.preview.treeseed.devgithub.com/cli/cli/releases/download/v2.90.0api.cloudflare.com/client/v4/accountsgithub.com/nektos/gh-act

Decision evidence

public snapshot
AI called this Clean at 83.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/managed-dependencies.js can download GitHub CLI and run npm install/rebuild, but only via exported installTreeseedDependencies.
  • dist/operations/services/config-runtime.js manages local .treeseed config/secrets and provider credentials in user-invoked workflows.
  • dist/verification.js bin can spawn npm/gh/docker verification commands when treeseed-sdk-verify is run.
Evidence against
  • package.json has no preinstall/install/postinstall hook; prepare points to missing scripts/prepare.ts and is not normal registry install execution.
  • dist/index.js mainly re-exports SDK APIs; no import-time credential harvesting or network exfiltration found.
  • Network hosts are package-aligned: api.treeseed.dev, GitHub/Cloudflare/Railway APIs, gh releases.
  • Credential env handling maps TREESEED_* values to tool-specific env vars for deploy/auth flows, not blanket exfiltration.
  • Dynamic import in dist/scenes/seed.js loads project-local seed runner only when scene seed apply is requested.
  • No AGENTS.md/.codex control-surface writes or reviewer prompt-injection files found in package.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 336 file(s), 4.43 MB of source, external domains: 127.0.0.1, api.cloudflare.com, api.github.com, api.preview.treeseed.dev, api.treeseed.dev, api.treeseed.local, backboard.railway.com, cli.github.com, crates.io, discord.gg, example.com, gateway.ai.cloudflare.com, github.com, hex.pm, host.docker.internal, hub.docker.com, knowledge.coop, preview.treeseed.dev, pypi.org, registry.npmjs.org, smoke.example.com, staging.treeseed-e2e.example.com, treeseed.dev, www.treeseed.dev

Source & flagged code

7 flagged · loading source
dist/scenes/render-media-assets.jsView file
2import { createHash } from "node:crypto"; L3: import { spawnSync } from "node:child_process"; L4: import { extname, join } from "node:path";
High
Child Process

Package source references child process execution.

dist/scenes/render-media-assets.jsView on unpkg · L2
dist/platform-operation-store.jsView file
173async function createPostgresRelationalAdapter(databaseUrl) { L174: const importer = new Function("specifier", "return import(specifier)"); L175: const { Pool } = await importer("pg");
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/platform-operation-store.jsView on unpkg · L173
dist/scenes/seed.jsView file
21if (!existsSync(applyModulePath)) return null; L22: const module = await import(pathToFileURL(applyModulePath).href); L23: return module.applyLocalSeedViaApiFromCli ?? module.applyLocalSeedFromCli ?? null;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/scenes/seed.jsView on unpkg · L21
dist/platform/book-export.jsView file
132} L133: function loadTenant(projectRoot = process.cwd()) { L134: const manifestPath = resolve(projectRoot, "src", "manifest.yaml"); ... L203: } L204: async function withCleanNodeExecArgv(action) { L205: const previousExecArgv = [...process.execArgv]; ... L224: copy: false, L225: stdout: false L226: };
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/platform/book-export.jsView on unpkg · L132
dist/workflow/operations.jsView file
3963runtime: { L3964: mode: process.env.TREESEED_LOCAL_DEV_MODE ?? "cloudflare", L3965: apiBaseUrl: process.env.TREESEED_API_BASE_URL ?? "http://127.0.0.1:3000", L3966: webUrl: "http://127.0.0.1:8787" ... L3971: } L3972: const result = spawnSync(process.execPath, args, { L3973: cwd: tenantRoot,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/workflow/operations.jsView on unpkg · L3963
dist/managed-dependencies.jsView file
472const remediation = [ L473: "Run `npx trsd install --json` to install or inspect managed tools.", L474: "Run `npx trsd secrets:unlock` or provide TREESEED_KEY_PASSPHRASE so machine secrets can be decrypted.", ... L486: } L487: const result = (options.spawn ?? spawnSync)(gh.command, [...gh.argsPrefix, "auth", "status", "--hostname", "github.com"], { L488: cwd: options.tenantRoot,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/managed-dependencies.jsView on unpkg · L472
dist/operations/services/config-runtime.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @treeseed/sdk@0.12.9 matchedIdentity = npm:QHRyZWVzZWVkL3Nkaw:0.12.9 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/operations/services/config-runtime.jsView on unpkg

Findings

1 Critical4 High4 Medium9 Low
CriticalPrevious Version Dangerous Deltadist/operations/services/config-runtime.js
HighChild Processdist/scenes/render-media-assets.js
HighShell
HighSame File Env Network Executiondist/workflow/operations.js
HighRuntime Package Installdist/managed-dependencies.js
MediumDynamic Requiredist/scenes/seed.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/platform-operation-store.js
LowWeak Cryptodist/platform/book-export.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License