registry  /  @uge/payo  /  1.1.2

@uge/payo@1.1.2

CLI tool to generate AI rules and skills for your project

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an interactive CLI that reads project manifests/layout and writes user-requested AI assistant guidance files, with optional local assistant CLI execution.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs payo/npx @uge/payo and answers prompts
Impact
Creates or backs up guidance/config files in the current project; no install-time execution or exfiltration identified
Mechanism
interactive project config generator with optional local AI CLI invocation
Rationale
The suspicious primitives are package-aligned and user-invoked: local assistant CLI spawning and project file writes implement the documented purpose. Static inspection found no lifecycle execution, credential collection, hidden download, persistence, or exfiltration path.
Evidence
package.jsonREADME.mddist/index.jsAGENTS.mdCLAUDE.md.cursorrules.cursor/rules/**.claude/skills/**.github/copilot-instructions.md.github/instructions/**.agents/skills/**.windsurfrulesAI_RULES.md.payo/**bootstrap-prompt.md

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js imports child_process spawn/spawnSync to invoke local assistant CLIs when selected
  • dist/index.js can write AI guidance files such as AGENTS.md, CLAUDE.md, .cursorrules, .claude/skills/**
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts
  • CLI entrypoint only runs on user invocation via bin payo or main dist/index.js
  • dist/index.js child_process usage is limited to which/where probes and selected local assistant binaries
  • dist/index.js constrains generated writes to process.cwd() via RX path check refusing outside-project paths
  • No credential harvesting or outbound exfiltration endpoint found in package source
  • README documents the same interactive AI rules/skills generation behavior
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 474 KB of source, external domains: github.com, json-schema.org

Source & flagged code

4 flagged · loading source
dist/index.jsView file
174`)} L175: ---`}var K_={id:"cursor",displayName:"Cursor",knownArtifacts:[".cursorrules",".cursor/rules"],generate:(r)=>[{path:".cursorrules",content:vr("Cursor Rules",r.sections)}],agent:{bin... L176: `),b=v.map((z)=>`- ${z}: one of [${s1(z,g).join(", ")}]`).join(`
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L174
174`)} L175: ---`}var K_={id:"cursor",displayName:"Cursor",knownArtifacts:[".cursorrules",".cursor/rules"],generate:(r)=>[{path:".cursorrules",content:vr("Cursor Rules",r.sections)}],agent:{bin... L176: `),b=v.map((z)=>`- ${z}: one of [${s1(z,g).join(", ")}]`).join(` ... L179: `),"Review your stack"),await g()==="generate")return v;let i=qX(r,v),u=await $(i);if(!u)continue;let I=i.find((U)=>U.id===u);if(!I)continue;if(I.kind==="gate")v=oX(r,v,u);else{let... L180: `),`Recommended ${g.title} settings`)}let b=await vv({id:g.id,type:"select",message:`${g.title} — how to proceed?`,options:U,allowOther:!1},v.answers);v=wr(v,g.id,b),I=ib(b)}if(I==... L181: `)}];var aN={id:"tailwind",title:"Tailwind CSS",category:"styling",appliesTo:(r)=>r.stylingLibrary==="tailwind",questions:()=>[{id:"tailwind.config",type:"select",summary:"Config s...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L174
164`)});let a=[],x=kr(r,"formatter");if(x)a.push(`- Formatter: ${x}`);let M=kr(r,"linter");if(M)a.push(`- Linter: ${M}`);if(a.length)v.push({title:"Tooling",body:a.join(` L165: `)});let O=kr(r,"gitWorkflow");if(O){let V=[`Follow the ${O} workflow.`,"- Maintain a comprehensive .gitignore (build output, dependencies, environment/secret files, OS/editor arti... L166: `)})}v.push(...P_(r));let d=Object.keys(r).filter((V)=>V.includes(".")&&r[V]!==void 0&&r[V]!=="").map((V)=>`- ${nX(V)}: ${iX(r[V])}`);if(d.length)v.push({title:"Tech Details",body:... ... L174: `)} L175: ---`}var K_={id:"cursor",displayName:"Cursor",knownArtifacts:[".cursorrules",".cursor/rules"],generate:(r)=>[{path:".cursorrules",content:vr("Cursor Rules",r.sections)}],agent:{bin... L176: `),b=v.map((z)=>`- ${z}: one of [${s1(z,g).join(", ")}]`).join(` ... L179: `),"Review your stack"),await g()==="generate")return v;let i=qX(r,v),u=await $(i);if(!u)continue;let I=i.find((U)=>U.id===u);if(!I)continue;if(I.kind==="gate")v=oX(r,v,u);else{let... L180: `),`Recommended ${g.title} settings`)}let b=await vv({id:g.id,type:"select",message:`${g.title} — how to proceed?`,options:U,allowOther:!1},v.answers);v=wr(v,g.id,b),I=ib(
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L164
83${I} L84: `}}}}).prompt();import pv from"fs";import wW from"path";import{randomUUID as CW}from"crypto";var Fr={};lr(Fr,{xor:()=>ED,xid:()=>a0,void:()=>GD,uuidv7:()=>T0,uuidv6:()=>m0,uuidv4:(... L85: `)}var H$=(r)=>(v,n,g,$)=>{let i=g?{...g,async:!1}:{async:!1},u=v._zod.run({value:n,issues:[]},i);if(u instanceof Promise)throw new or;if(u.issues.length){let I=new($?.Err??r)(u.is...
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L83

Findings

3 High2 Medium5 Low
HighChild Processdist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings