registry  /  artifakt  /  0.1.3

artifakt@0.1.3

Artifakt — control what your AI ships. The open-source, vendor-neutral gate where a human reviews, approves, and owns AI-generated work. Point → Comment → Revise → Approve.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `artifakt setup ...`, `artifakt pair`, or runner commands.
Impact
A user who enables the integration grants the package a durable path to invoke installed AI-agent CLIs and modify their integration configuration.
Mechanism
User-invoked AI-agent integration, local runner persistence, and remote task polling.
Rationale
Source inspection confirms a real, user-invoked AI-agent control and persistence capability, but no unconsented npm lifecycle execution or concrete malicious chain. Warn rather than block under the install-control-surface policy.
Evidence
package.jsonbin/artifakt.mjsbin/agent-templates.mjsbin/prepare-package.mjssrc/mcp/server.ts~/.codex/config.toml~/.codex/artifakt-review.md~/.claude/skills/artifakt-review/SKILL.md~/.claude/commands/artifakt-push.md~/.claude/commands/artifakt-listen.md~/.claude.json~/.artifakt/runner.json~/.config/systemd/user/artifakt-runner.service~/Library/LaunchAgents/com.artifakt.runner.plist
Network endpoints2
app.artifakthq.com/api/mcplocalhost:3000

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/artifakt.mjs` explicitly writes Claude Desktop and Codex MCP configuration during `setup` commands.
  • `bin/artifakt.mjs` installs a persistent per-user runner through systemd or launchd only via runner commands.
  • `bin/agent-templates.mjs` adds trust state to `~/.claude.json` for Artifakt-created worker directories.
  • The runner polls Artifakt and can launch detected AI CLIs for armed artifacts.
  • Cloud setup stores and uses a bearer token for `https://app.artifakthq.com/api/mcp`.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • Agent configuration and runner installation are reached only through explicit CLI setup/runner commands.
  • No source evidence of credential harvesting, hidden exfiltration, eval, or remote code download.
  • Network traffic is limited to the declared Artifakt service and local app URLs.
  • `bin/prepare-package.mjs` is a prepack-only build helper, not an install-time action.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 190 file(s), 1.05 MB of source, external domains: 127.0.0.1, api.github.com, app.artifakthq.com, app.example.com, hooks.slack.com, www.apple.com

Source & flagged code

8 flagged · loading source
bin/prepare-package.mjsView file
5// the server expects. L6: import { spawnSync } from "node:child_process"; L7: import { cpSync, existsSync, rmSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/prepare-package.mjsView on unpkg · L5
12L13: const build = spawnSync("npx", ["next", "build"], { L14: cwd: root,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/prepare-package.mjsView on unpkg · L12
bin/artifakt.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = artifakt@0.1.2 matchedIdentity = npm:YXJ0aWZha3Q:0.1.2 similarity = 0.908 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/artifakt.mjsView on unpkg
755const child = spawn(cmd, { L756: shell: true, L757: cwd: workdir,
High
Shell

Package source references shell execution.

bin/artifakt.mjsView on unpkg · L755
447const NOTIFY_DIR = L448: process.env.ARTIFAKT_NOTIFY_DIR ?? join(homedir(), ".artifakt", "notifications"); L449: function envelopePath(artifactId) { ... L452: L453: const DEFAULT_CLOUD_URL = "https://app.artifakthq.com/api/mcp"; L454: L455: function run(command, args, opts = {}) { L456: const child = spawn(command, args, { L457: cwd: root,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/artifakt.mjsView on unpkg · L447
16*/ L17: import { spawn, spawnSync } from "node:child_process"; L18: import { fileURLToPath } from "node:url"; ... L46: L47: const __dirname = dirname(fileURLToPath(import.meta.url)); L48: const selfPath = fileURLToPath(import.meta.url); // abs path to this CLI, for service units ... L56: try { L57: return JSON.parse(readFileSync(RUNNER_CONFIG, "utf8")); L58: } catch { ... L142: stdio: ["ignore", out, out], L143: env: process.env, L144: });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/artifakt.mjsView on unpkg · L16
16*/ L17: import { spawn, spawnSync } from "node:child_process"; L18: import { fileURLToPath } from "node:url"; ... L46: L47: const __dirname = dirname(fileURLToPath(import.meta.url)); L48: const selfPath = fileURLToPath(import.meta.url); // abs path to this CLI, for service units ... L56: try { L57: return JSON.parse(readFileSync(RUNNER_CONFIG, "utf8")); L58: } catch { ... L142: stdio: ["ignore", out, out], L143: env: process.env, L144: });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

bin/artifakt.mjsView on unpkg · L16
.next/standalone/.next/static/media/77fb5eec12c66d49-s.woff2View file
path = .next/standalone/.[redacted]-s.woff2 kind = high_entropy_blob sizeBytes = 4168 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

.next/standalone/.next/static/media/77fb5eec12c66d49-s.woff2View on unpkg

Findings

1 Critical6 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/artifakt.mjs
HighChild Processbin/prepare-package.mjs
HighShellbin/artifakt.mjs
HighSame File Env Network Executionbin/artifakt.mjs
HighSandbox Evasion Gated Capabilitybin/artifakt.mjs
HighRuntime Package Installbin/prepare-package.mjs
HighShips High Entropy Blob.next/standalone/.next/static/media/77fb5eec12c66d49-s.woff2
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencebin/artifakt.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License