registry  /  @vyriy/scripts  /  0.9.0

@vyriy/scripts@0.9.0

Shared scripts package for Vyriy projects

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package exposes user-invoked deployment and smoke-test helpers that run cloud/docker commands or request project URLs.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit import and invocation of exported helpers such as deploy(), docker(), kaniko(), site(), or healthcheck().
Impact
Expected CDK deploys, Docker/Kaniko image pushes, Lambda invokes, and HTTP checks against caller/project configured endpoints.
Mechanism
User-invoked CI/deployment and smoke-test command wrappers
Rationale
Static inspection shows a small Vyriy utility package of exported deployment and smoke-test scripts with no lifecycle hook, import-time side effect, hidden persistence, exfiltration, or AI-agent hijack behavior. The risky primitives are package-aligned and require explicit user invocation with project/cloud configuration.
Evidence
package.jsonindex.jsdeploy.jsdocker.jskaniko.jsapi.jshealthcheck.jslambda.jsmfe.jssite.jswebhooks.jsREADME.mdcdk.outcdk.out/cloudformation.ymlcdk.out/cdk-outputs.jsoncdk.out/kaniko.logs.txt
Network endpoints2
vyriy.dev/docs/scripts/github.com/evheniy/vyriy

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no npm lifecycle scripts or bin entries; main only re-exports modules.
    • deploy.js/docker.js/kaniko.js shell commands are exported script helpers for CDK/ECR/Docker/Kaniko workflows, not install/import-time execution.
    • Network requests in api.js/healthcheck.js/mfe.js/site.js/webhooks.js target URLs read from CDK outputs or caller-provided paths.
    • No credential harvesting, AI-agent control-surface writes, persistence, obfuscated payloads, eval/vm, or dynamic require/import found.
    • Scanner runtime_package_install appears to match README install text or npx CDK commands, not package-manager install at runtime.
    Behavioral surface
    Source
    ChildProcessShell
    Supply chainNo supply-chain packaging signals triggered.
    ManifestNo manifest risk signals triggered.
    scanned 10 file(s), 8.92 KB of source

    Source & flagged code

    2 flagged · loading source
    kaniko.jsView file
    9logger.info('Repository:', repository); L10: await exec(`/kaniko/executor \ L11: --context "${path}" \
    High
    Child Process

    Package source references child process execution.

    kaniko.jsView on unpkg · L9
    deploy.jsView file
    7await exec('mkdir cdk.out'); L8: await exec('npx cdk synth > cdk.out/cloudformation.yml'); L9: await exec('npx aws-cdk diff');
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    deploy.jsView on unpkg · L7

    Findings

    3 High
    HighChild Processkaniko.js
    HighShell
    HighRuntime Package Installdeploy.js