registry  /  @vyriy/scripts  /  0.8.13

@vyriy/scripts@0.8.13

Shared scripts package for Vyriy projects

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Risky primitives are explicit deployment, Docker/Kaniko, and smoke-test helpers that run only when their exported functions are called.

Static reason
One or more suspicious static signals were detected.
Trigger
User imports and invokes exported script helpers such as deploy(), docker(), kaniko(), site(), or healthcheck().
Impact
Can deploy CDK stacks, build/push images, write cdk.out logs/artifacts, and call project-defined URLs as part of intended package behavior.
Mechanism
User-invoked deployment and smoke-test command/request helpers
Rationale
Static inspection shows no install-time/import-time execution or covert exfiltration; scanner hits are package-aligned user-invoked deploy and smoke-test helpers. The package should be allowed as clean despite shell/network primitives.
Evidence
package.jsonindex.jsdeploy.jsdocker.jskaniko.jshealthcheck.jsmfe.jssite.jswebhooks.jsAGENTS.mdcdk.outcdk.out/cloudformation.ymlcdk.out/cdk-outputs.jsoncdk.out/kaniko.logs.txt

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • deploy.js runs user-invoked CDK shell commands and writes cdk.out artifacts.
  • docker.js and kaniko.js run container build/push commands using caller/project paths.
  • healthcheck.js, mfe.js, site.js, and webhooks.js make requests to URLs from CDK outputs or caller paths.
Evidence against
  • package.json has no lifecycle scripts or bin entries; main is index.js.
  • index.js only re-exports package modules; no import-time execution found.
  • No credential harvesting, persistence, destructive commands, obfuscated payloads, or AI-agent control writes found.
  • Network use is smoke/deploy functionality driven by user calls and project CDK outputs.
  • AGENTS.md is package guidance only; no source writes to reviewer or agent control surfaces.
Behavioral surface
Source
ChildProcessShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 8.92 KB of source

Source & flagged code

2 flagged · loading source
kaniko.jsView file
9logger.info('Repository:', repository); L10: await exec(`/kaniko/executor \ L11: --context "${path}" \
High
Child Process

Package source references child process execution.

kaniko.jsView on unpkg · L9
deploy.jsView file
7await exec('mkdir cdk.out'); L8: await exec('npx cdk synth > cdk.out/cloudformation.yml'); L9: await exec('npx aws-cdk diff');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

deploy.jsView on unpkg · L7

Findings

3 High
HighChild Processkaniko.js
HighShell
HighRuntime Package Installdeploy.js