registry  /  @two-tech-dev/pxml  /  0.9.0

@two-tech-dev/pxml@0.9.0

XML DSL and compiler for AI-driven project building

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No install-time malware behavior is present. The explicitly launched Studio server exposes an unauthenticated, CORS-permissive plugin route with request-controlled shell arguments, creating remote command-execution risk.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `pxml studio` and a browser or network client calls `/api/plugin/add`.
Impact
An attacker able to reach the Studio server can execute shell syntax supplied in the plugin URL or target name with the Studio user's privileges.
Mechanism
CORS-exposed shell command injection through `git clone`.
Rationale
Source inspection finds a concrete Studio command-execution vulnerability but no malicious install-time, exfiltration, persistence, or stealth chain. The static malicious label is therefore unsupported; flag the package for remediation rather than block publication as malware.
Evidence
package.jsonsrc/studio.tssrc/index.tsdist/studio.jsdist/index.js
Network endpoints1
localhost:${port}

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `src/studio.ts` enables unrestricted CORS and starts an HTTP/WebSocket server.
  • `/api/plugin/add` passes request-controlled `url` and destination into `execSync("git clone ...")`.
  • The Studio listener is started by explicit `pxml studio`; no authentication or localhost-only binding is set.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • Source contains no credential harvesting, exfiltration endpoint, obfuscated payload, or persistence logic.
  • CLI shell and package-install behavior is attached to explicit user commands, not import or installation.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 7 file(s), 1.26 MB of source, external domains: reactflow.dev, reactjs.org, www.w3.org

Source & flagged code

3 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @two-tech-dev/pxml@0.8.1 matchedIdentity = npm:QHR3by10ZWNoLWRldi9weG1s:0.8.1 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
4import { PxmlParser, validateProject, PxmlManifest, PxmlCache, PxmlCodegen, PxmlRunner, getTestFilePath, FileWriter, DependencyGraph, runFixLoop, runBuildLoop, syncEditorSchema, ad... L5: import { execSync } from 'child_process'; L6: import * as fs from 'fs';
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L4
356console.log(colors.cyan(colors.bold(`\nRunning tests...`))); L357: const testCmd = `npx vitest run ${testTarget}`; L358: let batchPassed = false; L359: try { L360: execSync(testCmd, { stdio: 'pipe', cwd }); L361: batchPassed = true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L356

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License