registry  /  artor-cli  /  0.11.0

artor-cli@0.11.0

Artor CLI — version, publish, and preview your web prototypes.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a featureful CLI for Artor project publishing and org management; risky primitives are user-invoked and package-aligned.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit artor CLI commands such as login, publish, skill sync, registry login, install, update, pull, or remix.
Impact
Can publish project artifacts, sync org skills, write local Artor config files, and run project build/install commands when requested.
Mechanism
Authenticated Artor API client with local project file management and build/install helpers
Rationale
Static inspection found no lifecycle hook, covert exfiltration, persistence, or unconsented AI-agent control mutation. The scanner hits map to expected CLI behavior: authenticated Artor API calls, optional org skill sync, registry/env file writes, and build/update child processes only through explicit commands.
Evidence
package.jsondist/index.jsREADME.md.artor/project.json.artor/skills.lock.json.claude/skills/orgAGENTS.md.npmrc.env.localnext.config.mjs
Network endpoints4
dash.artor.appregistry.npmjs.org/github.com/artorapp/skill/tree/main/artorlocalhost:3000

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.js has user-invoked child_process calls for build/install/open/update commands.
  • dist/index.js can send Artor, GitHub, and registry credentials to configured Artor API endpoints.
  • dist/index.js writes project files such as .artor/project.json, .npmrc, .env.local, AGENTS.md, and .claude/skills/org during explicit commands.
Evidence against
  • package.json has no install/postinstall lifecycle hooks; bin is ./dist/index.js only.
  • Network default is package-aligned https://dash.artor.app, with ARTOR_API_URL/dev override for users.
  • Secret files and dirs are excluded from source/package uploads, including .env, .npmrc, .ssh, .claude, and .artor.
  • Credential handling is tied to explicit login/registry/skill/env/publish commands and warns against CLI secret flags.
  • No import-time execution beyond dispatching the invoked CLI command; dangerous actions are command-gated.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 185 KB of source, external domains: claude.com, dash.artor.app, github.com, nodejs.org, registry.npmjs.org

Source & flagged code

5 flagged · loading source
dist/index.jsView file
36try { L37: return JSON.stringify(redactForLog(JSON.parse(body))); L38: } catch { ... L115: try { L116: const raw = readFileSync(new URL("../package.json", import.meta.url), "utf8"); L117: return JSON.parse(raw); ... L142: const body = typeof init2.body === "string" ? redactBody(init2.body) : void 0; L143: process.stderr.write(`\x1B[2m\u2192 ${method} ${url}\x1B[0m L144: `); ... L193: try { L194: res = await fetch(url, { ...init2, headers }); L195: } catch {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L36
36Trigger-reachable chain: manifest.bin -> dist/index.js L36: try { L37: return JSON.stringify(redactForLog(JSON.parse(body))); L38: } catch { ... L115: try { L116: const raw = readFileSync(new URL("../package.json", import.meta.url), "utf8"); L117: return JSON.parse(raw); ... L142: const body = typeof init2.body === "string" ? redactBody(init2.body) : void 0; L143: process.stderr.write(`\x1B[2m\u2192 ${method} ${url}\x1B[0m L144: `); ... L193: try { L194: res = await fetch(url, { ...init2, headers }); L195: } catch {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L36
506// src/build.ts L507: import { spawnSync } from "node:child_process"; L508: function runBuild(cwd, pm) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L506
5115} L5116: process.stdout.write(`${plan.message} L5117: `); ... L5121: // src/commands/install.ts L5122: import { spawnSync as spawnSync4 } from "node:child_process"; L5123: ... L5125: var SKILL_REPO = "artorapp/skill"; L5126: var SKILL_SOURCE_URL = "https://github.[redacted]"; L5127: function installPlan(target, platform = process.platform) {
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L5115
36try { L37: return JSON.stringify(redactForLog(JSON.parse(body))); L38: } catch { ... L115: try { L116: const raw = readFileSync(new URL("../package.json", import.meta.url), "utf8"); L117: return JSON.parse(raw); ... L142: const body = typeof init2.body === "string" ? redactBody(init2.body) : void 0; L143: process.stderr.write(`\x1B[2m\u2192 ${method} ${url}\x1B[0m L144: `); ... L193: try { L194: res = await fetch(url, { ...init2, headers }); L195: } catch {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L36

Findings

2 Critical4 High3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License