registry  /  @xnetjs/plugins  /  0.1.0

@xnetjs/plugins@0.1.0

Plugin system for xNet -- registry, sandboxed script execution, AI-powered script generation, and service integrations.

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package provides plugin/connectors, local API, sandbox, webhook, and process-management primitives that are runtime/user-invoked and package-aligned.

Static reason
One or more suspicious static signals were detected.
Trigger
user imports library APIs and explicitly starts servers, connectors, webhooks, sandbox scripts, or managed processes
Impact
No install-time persistence, credential harvesting, exfiltration, or unconsented AI-agent control-surface mutation found.
Mechanism
guarded plugin framework and user-configured runtime services
Rationale
Static inspection found suspicious primitives, but they are framework capabilities behind explicit runtime APIs with capability checks, scoped secrets, or caller-supplied configuration. There are no lifecycle hooks, import-time execution chains, hardcoded exfiltration endpoints, destructive behavior, or unconsented AI-agent control mutations.
Evidence
package.jsondist/index.jsdist/services/node.jsREADME.md
Network endpoints12
slack.com/api/conversations.historyslack.com/api/conversations.listapi.github.com/repos/api.notion.com/v1/searchapi.airtable.com/v0/api.linear.app/graphqlapi.telegram.org/botapi.resend.com/emailsapi.anthropic.comapi.openai.comopenrouter.ai/api127.0.0.1:31416

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks and only exports ./dist/index.js and ./dist/services/node.js.
    • dist/index.js guardedFetch enforces declared network capabilities before calling injected/global fetch.
    • dist/index.js connectors use declared secrets and hosts for Slack, GitHub, Notion, Airtable, Linear and webhook actions.
    • dist/services/node.js LocalAPIServer binds to 127.0.0.1 by default and uses bearer/scoped token checks when configured.
    • dist/services/node.js ScriptSandbox validates AST, blocks eval/import/require/process/fetch globals, and shadows dangerous globals before new Function.
    • dist/services/node.js child_process spawn is in a user-invoked ManagedProcess abstraction using caller-supplied service definitions, not install/import-time execution.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 662 KB of source, external domains: 127.0.0.1, api.airtable.com, api.anthropic.com, api.example.com, api.github.com, api.linear.app, api.notion.com, api.openai.com, api.resend.com, api.telegram.org, crm.example.test, open.spotify.com, openrouter.ai, slack.com, vimeo.com, www.youtube.com, youtu.be

    Source & flagged code

    3 flagged · loading source
    dist/index.jsView file
    8802"process.", L8803: "child_process" L8804: ];
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L8802
    8741}, L8742: // No new Function() L8743: NewExpression: (node) => {
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/index.jsView on unpkg · L8741
    dist/services/node.jsView file
    2Cross-file remote execution chain: dist/services/node.js spawns dist/index.js; helper contains network access plus dynamic code execution. L2: import { timingSafeEqual } from "crypto"; L3: import { createServer } from "http"; L4: import { URL as URL2 } from "url"; ... L134: try { L135: const parsed = JSON.parse(serialized); L136: const validation = validateAiMutationPlan(parsed); ... L1029: canvasId: { type: "string", description: "Canvas node id." }, L1030: includeXNetMetadata: { L1031: type: "boolean", ... L4583: * Start the MCP server in stdio mode. L4584: * Reads JSON-RPC requests from stdin and writes responses to stdout. L4585: */
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/services/node.jsView on unpkg · L2

    Findings

    2 High2 Medium5 Low
    HighChild Processdist/index.js
    HighCross File Remote Execution Contextdist/services/node.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowEvaldist/index.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings