registry  /  artor-cli  /  0.14.0

artor-cli@0.14.0

Artor CLI — version, publish, and preview your web prototypes.

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Risky primitives are present but are aligned with a CLI for publishing prototypes, syncing org skills, and configuring registries.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs artor commands such as login, init, publish, skill sync, registry login, update, or install.
Impact
Can upload project source/artifacts to Artor, write local Artor config/project files, write managed .npmrc/.env.local/skill files, and run package-manager/build commands when explicitly requested.
Mechanism
User-invoked Artor API client and project publishing tooling
Rationale
Static inspection shows a broad but coherent Artor CLI: authenticated API calls, source publishing, registry/env/skill sync, and child process use are tied to documented user commands rather than install-time or hidden execution. The scanner's credential-exfiltration hint appears to be normal bearer-token/API credential use for Artor product features, with explicit secret exclusions and redaction logic.
Evidence
package.jsondist/index.jsREADME.md~/.artor/config.json.artor/project.json.claude/skills/org/AGENTS.md.npmrc.env.localnext.config.mjs
Network endpoints5
dash.artor.appregistry.npmjs.org/github.com/artorapp/skill/tree/main/artorclaude.com/codenodejs.org

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.js contains network calls with bearer auth to configured Artor API
  • dist/index.js can write .claude/skills/org and AGENTS.md during user-invoked skill sync/init
  • dist/index.js can run npm/package-manager builds and installs during user-invoked init/publish/update/install commands
Evidence against
  • package.json has no install/postinstall lifecycle hooks; only bin is ./dist/index.js
  • Default API is https://dash.artor.app and network paths are Artor CLI product endpoints
  • Credential handling is command-aligned: login stores Artor token; registry/skill credentials are sent only for explicit registry add/skill add
  • publish excludes common secret files and dirs such as .env, .npmrc, .ssh, .claude, and .artor from source upload
  • Child process use is tied to explicit build/install/open/update commands with argument validation for tool spawns
  • No eval/vm/Function, obfuscated payload, persistence, or import-time execution found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 191 KB of source, external domains: claude.com, dash.artor.app, github.com, nodejs.org, registry.npmjs.org

Source & flagged code

2 flagged · loading source
dist/index.jsView file
36try { L37: return JSON.stringify(redactForLog(JSON.parse(body))); L38: } catch { ... L127: try { L128: const raw = readFileSync(new URL("../package.json", import.meta.url), "utf8"); L129: return JSON.parse(raw); ... L154: const body = typeof init2.body === "string" ? redactBody(init2.body) : void 0; L155: process.stderr.write(`\x1B[2m\u2192 ${method} ${url}\x1B[0m L156: `); ... L205: try { L206: res = await fetch(url, { ...init2, headers }); L207: } catch {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L36
36Trigger-reachable chain: manifest.bin -> dist/index.js L36: try { L37: return JSON.stringify(redactForLog(JSON.parse(body))); L38: } catch { ... L127: try { L128: const raw = readFileSync(new URL("../package.json", import.meta.url), "utf8"); L129: return JSON.parse(raw); ... L154: const body = typeof init2.body === "string" ? redactBody(init2.body) : void 0; L155: process.stderr.write(`\x1B[2m\u2192 ${method} ${url}\x1B[0m L156: `); ... L205: try { L206: res = await fetch(url, { ...init2, headers }); L207: } catch {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L36

Findings

2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License