registry  /  @treeseed/sdk  /  0.12.32

@treeseed/sdk@0.12.32

Shared Treeseed SDK for content-backed and D1-backed object models.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes exported Treeseed workflow/dependency/Copilot helpers or treeseed-sdk-verify bin.
Impact
Could perform broad repository/tool actions under caller-provided credentials if an operator invokes these APIs with unsafe prompts or tool sets; no unconsented lifecycle hijack or exfiltration found.
Mechanism
User-invoked agent/tool automation with auto-approved Copilot permissions and managed tool installation.
Policy narrative
If a consumer explicitly calls runTreeseedCopilotTask, the SDK creates a Copilot session and approves permission requests automatically, so prompts/tool configuration determine what actions run in the target working directory. Dependency helpers can also install GitHub CLI/gh-act and npm-backed tools into Treeseed-managed cache locations. These are dangerous operational capabilities but are not triggered by install/import and appear aligned with the package's documented Treeseed workflow purpose.
Rationale
Source inspection supports a warning for dangerous user-invoked agent/tool automation, not a publish block: no lifecycle mutation of foreign AI-agent control surfaces, persistence, credential exfiltration, or hidden import-time execution was confirmed.
Evidence
package.jsondist/copilot.jsdist/managed-dependencies.jsdist/verification.jsdist/service-credentials.jsdist/operations/services/github-api.js.treeseed/toolsGH_CONFIG_DIR/tmp/treeseed-verify-act.locktemporary treeseed-verify-act workflow directorytenantRoot/package.jsontenantRoot/node_modules
Network endpoints4
github.com/cli/cli/releases/download/v2.90.0github.com/nektos/gh-actapi.treeseed.devapi.cloudflare.com/client/v4/accounts

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/copilot.js creates Copilot sessions with onPermissionRequest: approveAll.
  • dist/managed-dependencies.js can install npm deps, download GitHub CLI, and install gh-act when installTreeseedDependencies is invoked.
  • dist/verification.js bin runs npm/gh/docker verification commands and writes temporary act workflows.
Evidence against
  • package.json has no postinstall/install hook; prepare points to absent scripts/prepare.ts in packed files and dist/scripts/prepare.js only builds dist.
  • No .claude/.mcp/Codex/Cursor control-surface writes found by source search.
  • Credential helpers use TREESEED_* env vars for GitHub/Cloudflare/Railway/Docker/Codex operations, not broad secret harvesting.
  • GitHub/Cloudflare/Railway network code is package-aligned operational automation and requires configured tokens.
  • Risky child_process/file writes are exported/bin/user-invoked tooling, not import-time execution.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 337 file(s), 4.48 MB of source, external domains: 127.0.0.1, api.cloudflare.com, api.github.com, api.preview.treeseed.dev, api.treeseed.dev, api.treeseed.local, auth.docker.io, backboard.railway.com, cli.github.com, crates.io, discord.gg, example.com, gateway.ai.cloudflare.com, github.com, hex.pm, host.docker.internal, hub.docker.com, knowledge.coop, preview.treeseed.dev, pypi.org, registry-1.docker.io, registry.npmjs.org, smoke.example.com, staging.treeseed-e2e.example.com, treeseed.dev, www.treeseed.dev

Source & flagged code

7 flagged · loading source
dist/scenes/render-media-assets.jsView file
2import { createHash } from "node:crypto"; L3: import { spawnSync } from "node:child_process"; L4: import { extname, join } from "node:path";
High
Child Process

Package source references child process execution.

dist/scenes/render-media-assets.jsView on unpkg · L2
dist/platform-operation-store.jsView file
173async function createPostgresRelationalAdapter(databaseUrl) { L174: const importer = new Function("specifier", "return import(specifier)"); L175: const { Pool } = await importer("pg");
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/platform-operation-store.jsView on unpkg · L173
dist/scenes/seed.jsView file
21if (!existsSync(applyModulePath)) return null; L22: const module = await import(pathToFileURL(applyModulePath).href); L23: return module.applyLocalSeedViaApiFromCli ?? module.applyLocalSeedFromCli ?? null;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/scenes/seed.jsView on unpkg · L21
dist/platform/book-export.jsView file
132} L133: function loadTenant(projectRoot = process.cwd()) { L134: const manifestPath = resolve(projectRoot, "src", "manifest.yaml"); ... L203: } L204: async function withCleanNodeExecArgv(action) { L205: const previousExecArgv = [...process.execArgv]; ... L224: copy: false, L225: stdout: false L226: };
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/platform/book-export.jsView on unpkg · L132
dist/workflow/operations.jsView file
4231runtime: { L4232: mode: process.env.TREESEED_LOCAL_DEV_MODE ?? "cloudflare", L4233: apiBaseUrl: process.env.TREESEED_API_BASE_URL ?? "http://127.0.0.1:3000", L4234: webUrl: "http://127.0.0.1:8787" ... L4239: } L4240: const result = spawnSync(process.execPath, args, { L4241: cwd: tenantRoot,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/workflow/operations.jsView on unpkg · L4231
dist/managed-dependencies.jsView file
472const remediation = [ L473: "Run `npx trsd install --json` to install or inspect managed tools.", L474: "Run `npx trsd secrets:unlock` or provide TREESEED_KEY_PASSPHRASE so machine secrets can be decrypted.", ... L486: } L487: const result = (options.spawn ?? spawnSync)(gh.command, [...gh.argsPrefix, "auth", "status", "--hostname", "github.com"], { L488: cwd: options.tenantRoot,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/managed-dependencies.jsView on unpkg · L472
dist/operations/services/github-api.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @treeseed/sdk@0.12.23 matchedIdentity = npm:QHRyZWVzZWVkL3Nkaw:0.12.23 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/operations/services/github-api.jsView on unpkg

Findings

1 Critical4 High4 Medium9 Low
CriticalPrevious Version Dangerous Deltadist/operations/services/github-api.js
HighChild Processdist/scenes/render-media-assets.js
HighShell
HighSame File Env Network Executiondist/workflow/operations.js
HighRuntime Package Installdist/managed-dependencies.js
MediumDynamic Requiredist/scenes/seed.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/platform-operation-store.js
LowWeak Cryptodist/platform/book-export.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License