registry  /  @xnetjs/plugins  /  0.1.1

@xnetjs/plugins@0.1.1

Plugin system for xNet -- registry, sandboxed script execution, AI-powered script generation, and service integrations.

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious package attack surface was found. The package exposes a plugin framework with optional connectors, webhooks, local services, sandboxed scripts, and workspace export APIs that run only when application code invokes them.

Static reason
One or more suspicious static signals were detected.
Trigger
Runtime API calls by a consuming xNet host or plugin author; no npm install-time trigger.
Impact
No evidence of unconsented install-time mutation, credential harvesting, exfiltration, destructive behavior, or remote payload execution.
Mechanism
User-invoked framework capabilities with consent/capability checks
Rationale
Static inspection shows suspicious primitives are package-aligned exported framework features with explicit invocation, capability declarations, and no lifecycle hooks. There is no concrete attack chain for unconsented execution, exfiltration, persistence, or AI-agent control-surface hijack at install/import time.
Evidence
package.jsonREADME.mddist/index.jsdist/services/node.js.codex/config.toml.mcp.json.xnet/manifest.jsonl.xnet/export-state.jsonAGENTS.mdSKILL.mdPages/*Databases/*Canvases/*.xnet/nodes/*
Network endpoints4
slack.com/api/conversations.historyslack.com/api/conversations.list?types=public_channel,private_channelapi.telegram.org/bot{token}/sendMessageapi.resend.com/emails

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • Manifest has no preinstall/install/postinstall hooks; main is ./dist/index.js and node subpath is explicit.
    • Network code is capability-gated framework code: guardedFetch asserts declared plugin network caps before fetch.
    • Secret use is scoped to connector/action builders requiring ctx.env keys and declared capabilities, not ambient harvesting.
    • Dynamic execution is a sandbox API using AST validation, forbidden globals, and shadowed process/fetch/require.
    • child_process spawn appears only in ManagedProcess.start(), invoked by host-provided service definitions.
    • Node exporter writes workspace projection files only when host calls export/checkout with a rootDir.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 662 KB of source, external domains: 127.0.0.1, api.airtable.com, api.anthropic.com, api.example.com, api.github.com, api.linear.app, api.notion.com, api.openai.com, api.resend.com, api.telegram.org, crm.example.test, open.spotify.com, openrouter.ai, slack.com, vimeo.com, www.youtube.com, youtu.be

    Source & flagged code

    3 flagged · loading source
    dist/index.jsView file
    8802"process.", L8803: "child_process" L8804: ];
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L8802
    8741}, L8742: // No new Function() L8743: NewExpression: (node) => {
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/index.jsView on unpkg · L8741
    dist/services/node.jsView file
    2Cross-file remote execution chain: dist/services/node.js spawns dist/index.js; helper contains network access plus dynamic code execution. L2: import { timingSafeEqual } from "crypto"; L3: import { createServer } from "http"; L4: import { URL as URL2 } from "url"; ... L134: try { L135: const parsed = JSON.parse(serialized); L136: const validation = validateAiMutationPlan(parsed); ... L1029: canvasId: { type: "string", description: "Canvas node id." }, L1030: includeXNetMetadata: { L1031: type: "boolean", ... L4583: * Start the MCP server in stdio mode. L4584: * Reads JSON-RPC requests from stdin and writes responses to stdout. L4585: */
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/services/node.jsView on unpkg · L2

    Findings

    2 High2 Medium5 Low
    HighChild Processdist/index.js
    HighCross File Remote Execution Contextdist/services/node.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowEvaldist/index.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings