registry  /  @treeseed/sdk  /  0.12.23

@treeseed/sdk@0.12.23

Shared Treeseed SDK for content-backed and D1-backed object models.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. Execution, network, package installation, and secret handling are SDK/deployment features activated by explicit Treeseed workflows or CLI helpers, not install-time payloads.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User-invoked SDK exports, verification bin, or Treeseed workflow operations.
Impact
No unconsented persistence, credential harvesting, exfiltration, or AI-agent control-surface hijack found.
Mechanism
Package-aligned deployment and verification tooling.
Rationale
Scanner findings map to a large deployment SDK with user-invoked subprocess, network, and dependency-management functionality. I found no install-time/import-time payload, foreign AI-agent control mutation, secret exfiltration, destructive behavior, or persistence outside documented Treeseed workflows.
Evidence
package.jsondist/index.jsdist/verification.jsdist/managed-dependencies.jsdist/service-credentials.jsdist/platform/desired-state.jsdist/workflow/operations.jsdist/operations/services/project-platform.jsdist/scenes/render-media-assets.jsdist/scenes/seed.js
Network endpoints4
github.com/cli/cli/releases/download/v2.90.0github.com/nektos/gh-actapi.treeseed.devapi.cloudflare.com/client/v4/accounts

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hook; prepare points to absent scripts/prepare.ts and is not a registry consumer install hook.
    • Main dist/index.js is exports/import aggregation with no install-time or import-time execution observed.
    • dist/verification.js only runs subprocess verification when invoked as the bin/verification entrypoint.
    • dist/managed-dependencies.js installs npm deps/GitHub CLI only through exported user-invoked helpers and verifies GitHub CLI checksums.
    • Credential env handling in dist/service-credentials.js maps TREESEED_* tokens to tool env vars; no exfiltration path found.
    • AI/Codex references in dist/platform/desired-state.js mount existing auth into Treeseed local capacity provider config, not lifecycle-write foreign agent config.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
    Supply chain
    HighEntropyStringsTelemetryUrlStrings
    Manifest
    CopyleftLicense
    scanned 337 file(s), 4.47 MB of source, external domains: 127.0.0.1, api.cloudflare.com, api.github.com, api.preview.treeseed.dev, api.treeseed.dev, api.treeseed.local, auth.docker.io, backboard.railway.com, cli.github.com, crates.io, discord.gg, example.com, gateway.ai.cloudflare.com, github.com, hex.pm, host.docker.internal, hub.docker.com, knowledge.coop, preview.treeseed.dev, pypi.org, registry-1.docker.io, registry.npmjs.org, smoke.example.com, staging.treeseed-e2e.example.com, treeseed.dev, www.treeseed.dev

    Source & flagged code

    7 flagged · loading source
    dist/scenes/render-media-assets.jsView file
    2import { createHash } from "node:crypto"; L3: import { spawnSync } from "node:child_process"; L4: import { extname, join } from "node:path";
    High
    Child Process

    Package source references child process execution.

    dist/scenes/render-media-assets.jsView on unpkg · L2
    dist/platform-operation-store.jsView file
    173async function createPostgresRelationalAdapter(databaseUrl) { L174: const importer = new Function("specifier", "return import(specifier)"); L175: const { Pool } = await importer("pg");
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/platform-operation-store.jsView on unpkg · L173
    dist/scenes/seed.jsView file
    21if (!existsSync(applyModulePath)) return null; L22: const module = await import(pathToFileURL(applyModulePath).href); L23: return module.applyLocalSeedViaApiFromCli ?? module.applyLocalSeedFromCli ?? null;
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/scenes/seed.jsView on unpkg · L21
    dist/platform/book-export.jsView file
    132} L133: function loadTenant(projectRoot = process.cwd()) { L134: const manifestPath = resolve(projectRoot, "src", "manifest.yaml"); ... L203: } L204: async function withCleanNodeExecArgv(action) { L205: const previousExecArgv = [...process.execArgv]; ... L224: copy: false, L225: stdout: false L226: };
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/platform/book-export.jsView on unpkg · L132
    dist/workflow/operations.jsView file
    4212runtime: { L4213: mode: process.env.TREESEED_LOCAL_DEV_MODE ?? "cloudflare", L4214: apiBaseUrl: process.env.TREESEED_API_BASE_URL ?? "http://127.0.0.1:3000", L4215: webUrl: "http://127.0.0.1:8787" ... L4220: } L4221: const result = spawnSync(process.execPath, args, { L4222: cwd: tenantRoot,
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/workflow/operations.jsView on unpkg · L4212
    dist/managed-dependencies.jsView file
    472const remediation = [ L473: "Run `npx trsd install --json` to install or inspect managed tools.", L474: "Run `npx trsd secrets:unlock` or provide TREESEED_KEY_PASSPHRASE so machine secrets can be decrypted.", ... L486: } L487: const result = (options.spawn ?? spawnSync)(gh.command, [...gh.argsPrefix, "auth", "status", "--hostname", "github.com"], { L488: cwd: options.tenantRoot,
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/managed-dependencies.jsView on unpkg · L472
    dist/operations/services/project-platform.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @treeseed/sdk@0.12.22 matchedIdentity = npm:QHRyZWVzZWVkL3Nkaw:0.12.22 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/operations/services/project-platform.jsView on unpkg

    Findings

    1 Critical4 High4 Medium9 Low
    CriticalPrevious Version Dangerous Deltadist/operations/services/project-platform.js
    HighChild Processdist/scenes/render-media-assets.js
    HighShell
    HighSame File Env Network Executiondist/workflow/operations.js
    HighRuntime Package Installdist/managed-dependencies.js
    MediumDynamic Requiredist/scenes/seed.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowEvaldist/platform-operation-store.js
    LowWeak Cryptodist/platform/book-export.js
    LowFilesystem
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings
    LowCopyleft License