AI Security Review
scanned 7d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Risky primitives are present but are aligned with a CLI for publishing prototypes, syncing org skills, and configuring registries.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs artor commands such as login, init, publish, skill sync, registry login, update, or install.
Impact
Can upload project source/artifacts to Artor, write local Artor config/project files, write managed .npmrc/.env.local/skill files, and run package-manager/build commands when explicitly requested.
Mechanism
User-invoked Artor API client and project publishing tooling
Rationale
Static inspection shows a broad but coherent Artor CLI: authenticated API calls, source publishing, registry/env/skill sync, and child process use are tied to documented user commands rather than install-time or hidden execution. The scanner's credential-exfiltration hint appears to be normal bearer-token/API credential use for Artor product features, with explicit secret exclusions and redaction logic.
Evidence
package.jsondist/index.jsREADME.md~/.artor/config.json.artor/project.json.claude/skills/org/AGENTS.md.npmrc.env.localnext.config.mjs
Network endpoints5
dash.artor.appregistry.npmjs.org/github.com/artorapp/skill/tree/main/artorclaude.com/codenodejs.org
Decision evidence
public snapshotAI called this Clean at 84.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/index.js contains network calls with bearer auth to configured Artor API
- dist/index.js can write .claude/skills/org and AGENTS.md during user-invoked skill sync/init
- dist/index.js can run npm/package-manager builds and installs during user-invoked init/publish/update/install commands
Evidence against
- package.json has no install/postinstall lifecycle hooks; only bin is ./dist/index.js
- Default API is https://dash.artor.app and network paths are Artor CLI product endpoints
- Credential handling is command-aligned: login stores Artor token; registry/skill credentials are sent only for explicit registry add/skill add
- publish excludes common secret files and dirs such as .env, .npmrc, .ssh, .claude, and .artor from source upload
- Child process use is tied to explicit build/install/open/update commands with argument validation for tool spawns
- No eval/vm/Function, obfuscated payload, persistence, or import-time execution found
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
36try {
L37: return JSON.stringify(redactForLog(JSON.parse(body)));
L38: } catch {
...
L127: try {
L128: const raw = readFileSync(new URL("../package.json", import.meta.url), "utf8");
L129: return JSON.parse(raw);
...
L154: const body = typeof init2.body === "string" ? redactBody(init2.body) : void 0;
L155: process.stderr.write(`\x1B[2m\u2192 ${method} ${url}\x1B[0m
L156: `);
...
L205: try {
L206: res = await fetch(url, { ...init2, headers });
L207: } catch {
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/index.jsView on unpkg · L3636Trigger-reachable chain: manifest.bin -> dist/index.js
L36: try {
L37: return JSON.stringify(redactForLog(JSON.parse(body)));
L38: } catch {
...
L127: try {
L128: const raw = readFileSync(new URL("../package.json", import.meta.url), "utf8");
L129: return JSON.parse(raw);
...
L154: const body = typeof init2.body === "string" ? redactBody(init2.body) : void 0;
L155: process.stderr.write(`\x1B[2m\u2192 ${method} ${url}\x1B[0m
L156: `);
...
L205: try {
L206: res = await fetch(url, { ...init2, headers });
L207: } catch {
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L36Findings
2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License