registry  /  artor-cli  /  0.12.0

artor-cli@0.12.0

Artor CLI — version, publish, and preview your web prototypes.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface; observed network, filesystem, and process execution are expected for an authenticated deployment/project-management CLI. Risky operations are user-invoked commands, not install-time or hidden behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs artor commands such as login, publish, registry login, skill sync, update, or install.
Impact
Expected upload of selected project artifacts/source to Artor and local CLI/project configuration changes.
Mechanism
authenticated CLI workflow with project packaging, API calls, and local config writes
Rationale
Static inspection shows a normal Artor CLI with explicit commands for login, publish, registry, skills, and updates; scanner exfiltration labels are explained by intended authenticated API uploads and token-bearing requests. There is no lifecycle execution, hidden credential harvesting, covert endpoint, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/index.js~/.artor/config.json.artor/project.json.npmrc.claude/skills/orgAGENTS.md
Network endpoints4
dash.artor.appregistry.npmjs.org/github.com/artorapp/skill/tree/main/artorlocalhost:3000

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js can package and upload project source on user-run publish/template push.
  • dist/index.js has user-invoked child_process calls for build/install/update/open/install-skill flows.
  • dist/index.js can write .claude/skills/org and AGENTS.md during user-run skill sync/init.
Evidence against
  • package.json has no install/postinstall lifecycle hooks; bin only maps artor to dist/index.js.
  • Network calls are to Artor CLI API paths under configured apiUrl, default https://dash.artor.app.
  • Secrets are read only for explicit login/registry/skill commands and redacted from verbose logs.
  • packDir excludes common secret files, .artor, .claude, node_modules, .git, .ssh, and .npmrc from source uploads.
  • No import-time execution beyond dispatching CLI argv; dangerous actions require explicit commands.
  • No obfuscation, eval/vm/Function, native binary loading, persistence, or destructive install-time behavior found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 188 KB of source, external domains: claude.com, dash.artor.app, github.com, nodejs.org, registry.npmjs.org

Source & flagged code

5 flagged · loading source
dist/index.jsView file
36try { L37: return JSON.stringify(redactForLog(JSON.parse(body))); L38: } catch { ... L115: try { L116: const raw = readFileSync(new URL("../package.json", import.meta.url), "utf8"); L117: return JSON.parse(raw); ... L142: const body = typeof init2.body === "string" ? redactBody(init2.body) : void 0; L143: process.stderr.write(`\x1B[2m\u2192 ${method} ${url}\x1B[0m L144: `); ... L193: try { L194: res = await fetch(url, { ...init2, headers }); L195: } catch {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L36
36Trigger-reachable chain: manifest.bin -> dist/index.js L36: try { L37: return JSON.stringify(redactForLog(JSON.parse(body))); L38: } catch { ... L115: try { L116: const raw = readFileSync(new URL("../package.json", import.meta.url), "utf8"); L117: return JSON.parse(raw); ... L142: const body = typeof init2.body === "string" ? redactBody(init2.body) : void 0; L143: process.stderr.write(`\x1B[2m\u2192 ${method} ${url}\x1B[0m L144: `); ... L193: try { L194: res = await fetch(url, { ...init2, headers }); L195: } catch {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L36
506// src/build.ts L507: import { spawnSync } from "node:child_process"; L508: function runBuild(cwd, pm) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L506
5153} L5154: process.stdout.write(`${plan.message} L5155: `); ... L5159: // src/commands/install.ts L5160: import { spawnSync as spawnSync4 } from "node:child_process"; L5161: ... L5163: var SKILL_REPO = "artorapp/skill"; L5164: var SKILL_SOURCE_URL = "https://github.[redacted]"; L5165: function installPlan(target, platform = process.platform) {
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L5153
36try { L37: return JSON.stringify(redactForLog(JSON.parse(body))); L38: } catch { ... L115: try { L116: const raw = readFileSync(new URL("../package.json", import.meta.url), "utf8"); L117: return JSON.parse(raw); ... L142: const body = typeof init2.body === "string" ? redactBody(init2.body) : void 0; L143: process.stderr.write(`\x1B[2m\u2192 ${method} ${url}\x1B[0m L144: `); ... L193: try { L194: res = await fetch(url, { ...init2, headers }); L195: } catch {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L36

Findings

2 Critical4 High3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License