registry  /  @vyriy/scripts  /  0.8.14

@vyriy/scripts@0.8.14

Shared scripts package for Vyriy projects

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package exposes deployment and smoke-test helpers that can run shell commands or make requests only when consumers invoke those exported functions.

Static reason
One or more suspicious static signals were detected.
Trigger
Consumer imports and calls exported helpers such as deploy(), docker(), kaniko(), site(), mfe(), healthcheck(), or webhooks().
Impact
Expected CDK deploys, Docker/Kaniko image pushes, Lambda invokes, and HTTP smoke checks against caller/CDK-supplied targets.
Mechanism
User-invoked deployment/smoke-test automation
Rationale
Static inspection found deployment and smoke-test primitives, but no install-time/import-time execution, hidden endpoint, credential theft, persistence, destructive behavior, or reviewer/prompt manipulation. The suspicious shell and request behavior is package-aligned and activated by explicit user calls, so this should not be blocked.
Evidence
package.jsonindex.jsdeploy.jsdocker.jskaniko.jshealthcheck.jsmfe.jssite.jswebhooks.jslambda.jscdk.outcdk.out/cloudformation.ymlcdk.out/cdk-outputs.jsoncdk.out/kaniko.logs.txt<path>/Dockerfile
Network endpoints2
vyriy.dev/docs/scripts/github.com/evheniy/vyriy

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • deploy.js and docker.js/kaniko.js run shell commands when exported script functions are explicitly invoked
  • Network requests in healthcheck.js, mfe.js, site.js, webhooks.js target CDK output URLs or caller-provided paths
  • kaniko.js interpolates caller-provided path into an exec command, a dangerous primitive in a deployment helper
Evidence against
  • package.json has no lifecycle scripts or bin entries; import surface is exports/main only
  • index.js only re-exports modules and has no import-time execution
  • No credential harvesting, hidden exfiltration endpoint, persistence, destructive command, eval/vm, dynamic require, or binary/native payload found
  • Shell usage is aligned with documented CDK/Docker/Kaniko deployment helpers and is user-invoked
  • No AI-agent control-surface writes; AGENTS.md is package guidance only
Behavioral surface
Source
ChildProcessShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 8.92 KB of source

Source & flagged code

2 flagged · loading source
kaniko.jsView file
9logger.info('Repository:', repository); L10: await exec(`/kaniko/executor \ L11: --context "${path}" \
High
Child Process

Package source references child process execution.

kaniko.jsView on unpkg · L9
deploy.jsView file
7await exec('mkdir cdk.out'); L8: await exec('npx cdk synth > cdk.out/cloudformation.yml'); L9: await exec('npx aws-cdk diff');
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

deploy.jsView on unpkg · L7

Findings

3 High
HighChild Processkaniko.js
HighShell
HighRuntime Package Installdeploy.js