AI Security Review
scanned 2h ago · by lpm-firewall-aiNo install-time malware behavior is present. The explicitly launched Studio server exposes an unauthenticated, CORS-permissive plugin route with request-controlled shell arguments, creating remote command-execution risk.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `pxml studio` and a browser or network client calls `/api/plugin/add`.
Impact
An attacker able to reach the Studio server can execute shell syntax supplied in the plugin URL or target name with the Studio user's privileges.
Mechanism
CORS-exposed shell command injection through `git clone`.
Rationale
Source inspection finds a concrete Studio command-execution vulnerability but no malicious install-time, exfiltration, persistence, or stealth chain. The static malicious label is therefore unsupported; flag the package for remediation rather than block publication as malware.
Evidence
package.jsonsrc/studio.tssrc/index.tsdist/studio.jsdist/index.js
Network endpoints1
localhost:${port}
Decision evidence
public snapshotAI called this Suspicious at 94.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `src/studio.ts` enables unrestricted CORS and starts an HTTP/WebSocket server.
- `/api/plugin/add` passes request-controlled `url` and destination into `execSync("git clone ...")`.
- The Studio listener is started by explicit `pxml studio`; no authentication or localhost-only binding is set.
Evidence against
- `package.json` has no preinstall, install, or postinstall lifecycle hook.
- Source contains no credential harvesting, exfiltration endpoint, obfuscated payload, or persistence logic.
- CLI shell and package-install behavior is attached to explicit user commands, not import or installation.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @two-tech-dev/pxml@0.8.1
matchedIdentity = npm:QHR3by10ZWNoLWRldi9weG1s:0.8.1
similarity = 0.833
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkg4import { PxmlParser, validateProject, PxmlManifest, PxmlCache, PxmlCodegen, PxmlRunner, getTestFilePath, FileWriter, DependencyGraph, runFixLoop, runBuildLoop, syncEditorSchema, ad...
L5: import { execSync } from 'child_process';
L6: import * as fs from 'fs';
High
356console.log(colors.cyan(colors.bold(`\nRunning tests...`)));
L357: const testCmd = `npx vitest run ${testTarget}`;
L358: let batchPassed = false;
L359: try {
L360: execSync(testCmd, { stdio: 'pipe', cwd });
L361: batchPassed = true;
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L356Findings
1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License