AI Security Review
scanned 2h ago · by lpm-firewall-aiThe explicit plugin-install CLI command and local Studio endpoint build shell commands from unescaped input. The Studio server enables CORS and accepts arbitrary filesystem paths.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `pxml plugin url-git` or starts `pxml studio` and invokes `/api/plugin/add`.
Impact
A caller able to supply plugin URL/name can execute shell syntax with the CLI or Studio process privileges.
Mechanism
Shell command injection through interpolated `git clone` arguments.
Rationale
Source inspection does not show malicious intent or automatic compromise, but it confirms an exploitable command-injection surface in package-owned runtime code. Warn rather than block because activation requires an explicit CLI/Studio action and no unconsented install-time behavior exists.
Evidence
package.jsonsrc/index.tssrc/studio.tsdist/index.jsdist/studio.jspackages/<name>.pxml/layout.json.pxml/export.xml
Network endpoints1
localhost
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
- `src/index.ts` interpolates `url` and `target` into `execSync(git clone ...)` for explicit `plugin url-git`.
- `src/studio.ts` exposes CORS-enabled `/api/plugin/add` and passes request `url` and `name` to interpolated `execSync`.
- `src/studio.ts` accepts caller-controlled project paths for browsing, reading, and writing project files.
Evidence against
- `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
- CLI actions are registered through explicit Commander commands; importing the package only defines commands.
- No direct credential upload, remote payload fetch/eval, persistence, or destructive cleanup appears in package source.
- `dist/index.js` and `dist/studio.js` reflect the reviewed TypeScript command and Studio behavior.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @two-tech-dev/pxml@0.9.0
matchedIdentity = npm:QHR3by10ZWNoLWRldi9weG1s:0.9.0
similarity = 0.714
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkg4import { PxmlParser, validateProject, PxmlManifest, PxmlCache, PxmlCodegen, PxmlRunner, getTestFilePath, FileWriter, DependencyGraph, runFixLoop, runBuildLoop, syncEditorSchema, ad...
L5: import { execSync } from 'child_process';
L6: import * as fs from 'fs';
High
357console.log(colors.cyan(colors.bold(`\nRunning tests...`)));
L358: const testCmd = `npx vitest run ${testTarget}`;
L359: let batchPassed = false;
L360: try {
L361: execSync(testCmd, { stdio: 'pipe', cwd });
L362: batchPassed = true;
High
Runtime Package Install
Package source invokes a package manager install command at runtime.
dist/index.jsView on unpkg · L357Findings
1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License