AI Security Review
scanned 5d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a user-invoked CLI that manages a .NET project template and can install/update tooling when commands are run.
Decision evidence
public snapshot- src/utils/dotnet.js uses execSync for dotnet, curl, bash, and PowerShell commands
- src/utils/dotnet.js downloads and executes Microsoft dotnet-install scripts when create needs .NET 10
- src/commands/update.js runs user-invoked npm install -g @yearhe9900/mb-toolbox-cli@latest
- src/utils/config.js writes user config to ~/.mb-cli/config.json
- package.json has no install/preinstall/postinstall lifecycle scripts
- bin entry src/cli.js only registers explicit CLI subcommands
- Network activity is tied to CLI create/reinstall/update actions, not install/import time
- No credential/env harvesting, persistence, destructive behavior, or exfiltration found
- NuGet source URL is user-configured and package-aligned for template management
- No AI-agent control-surface writes or prompt/reviewer manipulation found
Source & flagged code
6 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version.
src/utils/dotnet.jsView on unpkgPackage source references child process execution.
src/utils/dotnet.jsView on unpkg · L1Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
src/utils/dotnet.jsView on unpkg · L1Package source references dynamic require/import behavior.
src/utils/config.jsView on unpkg · L1Package source invokes a package manager install command at runtime.
src/commands/update.jsView on unpkg · L11