registry  /  @two-tech-dev/pxml  /  0.9.1

@two-tech-dev/pxml@0.9.1

XML DSL and compiler for AI-driven project building

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The explicit plugin-install CLI command and local Studio endpoint build shell commands from unescaped input. The Studio server enables CORS and accepts arbitrary filesystem paths.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `pxml plugin url-git` or starts `pxml studio` and invokes `/api/plugin/add`.
Impact
A caller able to supply plugin URL/name can execute shell syntax with the CLI or Studio process privileges.
Mechanism
Shell command injection through interpolated `git clone` arguments.
Rationale
Source inspection does not show malicious intent or automatic compromise, but it confirms an exploitable command-injection surface in package-owned runtime code. Warn rather than block because activation requires an explicit CLI/Studio action and no unconsented install-time behavior exists.
Evidence
package.jsonsrc/index.tssrc/studio.tsdist/index.jsdist/studio.jspackages/<name>.pxml/layout.json.pxml/export.xml
Network endpoints1
localhost

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `src/index.ts` interpolates `url` and `target` into `execSync(git clone ...)` for explicit `plugin url-git`.
  • `src/studio.ts` exposes CORS-enabled `/api/plugin/add` and passes request `url` and `name` to interpolated `execSync`.
  • `src/studio.ts` accepts caller-controlled project paths for browsing, reading, and writing project files.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • CLI actions are registered through explicit Commander commands; importing the package only defines commands.
  • No direct credential upload, remote payload fetch/eval, persistence, or destructive cleanup appears in package source.
  • `dist/index.js` and `dist/studio.js` reflect the reviewed TypeScript command and Studio behavior.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 7 file(s), 1.26 MB of source, external domains: reactflow.dev, reactjs.org, www.w3.org

Source & flagged code

3 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @two-tech-dev/pxml@0.9.0 matchedIdentity = npm:QHR3by10ZWNoLWRldi9weG1s:0.9.0 similarity = 0.714 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
4import { PxmlParser, validateProject, PxmlManifest, PxmlCache, PxmlCodegen, PxmlRunner, getTestFilePath, FileWriter, DependencyGraph, runFixLoop, runBuildLoop, syncEditorSchema, ad... L5: import { execSync } from 'child_process'; L6: import * as fs from 'fs';
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L4
357console.log(colors.cyan(colors.bold(`\nRunning tests...`))); L358: const testCmd = `npx vitest run ${testTarget}`; L359: let batchPassed = false; L360: try { L361: execSync(testCmd, { stdio: 'pipe', cwd }); L362: batchPassed = true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L357

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/index.js
HighShell
HighRuntime Package Installdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License