registry  /  accelr8  /  3.0.3

accelr8@3.0.3

Collaborative ascii canvas in your terminal. Real multiplayer, live cursors, mouse-driven TUI.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI performs user-invoked updates, optional FFmpeg setup, and configured AI-provider calls for its stated collaborative terminal app features.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `accelr8`, confirms an update/voice setup, or explicitly adds and invokes an agent.
Impact
Writes package-owned `~/.accelr8` settings, identity, update, and agent credential files; network use is feature-aligned.
Mechanism
Interactive CLI, WebSocket collaboration, optional package update, and user-configured AI requests.
Rationale
Direct source inspection shows feature-aligned, user-triggered execution and network behavior rather than install-time or covert malicious behavior. The scanner’s runtime-install and child-process signals are explained by interactive updater, FFmpeg, voice, and restricted AI-agent features.
Evidence
package.jsondist/cli.jsdist/chunks/update-UEPNGB6Y.jsdist/chunks/install-DL5WLVXN.jsdist/chunks/chunk-3JNUWI22.jsdist/chunks/client-HLMFYYAQ.jsdist/chunks/server-IVR5UHTM.js~/.accelr8/identity.json~/.accelr8/settings.json~/.accelr8/update-check.json~/.accelr8/accounts.json~/.accelr8/agent-tokens.json
Network endpoints4
wss://accelr8-canvas.patonchain.workers.devregistry.npmjs.org/accelr8/latestapi.anthropic.comapi.openai.com

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/chunks/update-UEPNGB6Y.js` can run `npm install -g accelr8@latest`, but only from the interactive update action.
  • `dist/chunks/chunk-3JNUWI22.js` stores user-provided AI API keys locally and sends them to their selected Anthropic/OpenAI API endpoint during explicit agent use.
Evidence against
  • `package.json` has only `prepublishOnly`; no preinstall/install/postinstall hook executes for consumers.
  • `dist/cli.js` gates all behavior behind explicit CLI invocation; dynamic imports select normal client/server/agent commands.
  • `dist/chunks/install-DL5WLVXN.js` only proposes or runs FFmpeg installation after an in-app confirmation.
  • `dist/chunks/chunk-3JNUWI22.js` limits Claude CLI to plan mode and disallows file, shell, web, and task tools.
  • No hidden endpoint, remote code loader, credential harvesting, destructive action, or foreign AI-agent configuration write was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 211 KB of source, external domains: api.anthropic.com, api.openai.com, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/chunks/chunk-3JNUWI22.jsView file
148// src/executor.ts L149: import { spawn } from "node:child_process"; L150: var ANTHROPIC_VERSION = "2023-06-01";
High
Child Process

Package source references child process execution.

dist/chunks/chunk-3JNUWI22.jsView on unpkg · L148
135const a = process.env.ANTHROPIC_API_KEY?.trim(); L136: const o = process.env.OPENAI_API_KEY?.trim(); L137: if (a) out.anthropic = a; ... L148: // src/executor.ts L149: import { spawn } from "node:child_process"; L150: var ANTHROPIC_VERSION = "2023-06-01"; L151: var ANTHROPIC_BASE = "https://api.anthropic.com"; L152: var OPENAI_BASE = "https://api.openai.com";
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/chunks/chunk-3JNUWI22.jsView on unpkg · L135
dist/chunks/update-UEPNGB6Y.jsView file
60const u = cachedUpdate(current, baseDir); L61: return u ? `update available \xB7 v${u.latest} \xB7 npm i -g accelr8@latest` : null; L62: } ... L66: try { L67: child = spawn("npm", ["install", "-g", "accelr8@latest", "--no-fund", "--no-audit"], { stdio: ["ignore", "pipe", "pipe"] }); L68: } catch (e) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/chunks/update-UEPNGB6Y.jsView on unpkg · L60
dist/chunks/install-DL5WLVXN.jsView file
matchType = previous_version_dangerous_delta matchedPackage = accelr8@3.0.1 matchedIdentity = npm:YWNjZWxyOA:3.0.1 similarity = 0.857 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunks/install-DL5WLVXN.jsView on unpkg

Findings

1 Critical4 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/chunks/install-DL5WLVXN.js
HighChild Processdist/chunks/chunk-3JNUWI22.js
HighShell
HighSame File Env Network Executiondist/chunks/chunk-3JNUWI22.js
HighRuntime Package Installdist/chunks/update-UEPNGB6Y.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings