registry  /  auditx  /  0.1.15

auditx@0.1.15

One command. Every vulnerability. AI-ready markdown report.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a security-audit CLI that invokes scanners, downloads scanner binaries on demand, can write reports, and can install git hooks only when explicitly requested.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs auditx CLI commands such as scan, install, hook, --ai, --fix, or --watch.
Impact
Package-aligned filesystem writes and external scanner/API calls; no unconsented malicious behavior confirmed.
Mechanism
User-invoked scanner orchestration and report generation
Rationale
Static inspection shows risky primitives are expected for a security scanning CLI and are activated by user commands, not npm install or import. No concrete malicious payload, credential theft, covert exfiltration, or unconsented AI-agent/control-surface mutation was found.
Evidence
package.jsondist/auditx.jsdist/hook-W4INEOTH.js~/.auditx/bin~/.auditx/semgrep-home~/.auditx/config.jsonaudit-report.md.git/hooks/<hook>.husky/<hook>
Network endpoints3
github.com/gitleaks/gitleaks/releases/download/v8.30.1/gitleaks_8.30.1_<os>_<arch>.<ext>github.com/aquasecurity/trivy/releases/download/v0.71.2/trivy_0.71.2_<os>-<arch>.<ext>github.com/semgrep/semgrep/releases/download/v1.100.0/semgrep-v1.100.0-<os>.<ext>

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle hooks; bin is dist/auditx.js only.
    • dist/auditx.js only runs scans after explicit CLI invocation; no import-time scan or install behavior found.
    • Runtime downloads are for named scanner tools from GitHub releases and are package-aligned.
    • Git hook writes are gated behind explicit `auditx hook install|install-all|uninstall`.
    • AI API use requires explicit --ai/config and reads only provider API keys from env/config.
    • No credential harvesting, hidden exfiltration, destructive persistence, eval, or reviewer prompt injection found.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 86.1 KB of source, external domains: github.com, semgrep.dev, trivy.dev

    Source & flagged code

    5 flagged · loading source
    dist/auditx.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = auditx@0.1.13 matchedIdentity = npm:YXVkaXR4:0.1.13 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    dist/auditx.jsView on unpkg
    8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10:
    High
    Child Process

    Package source references child process execution.

    dist/auditx.jsView on unpkg · L8
    864import { randomUUID as randomUUID2 } from "crypto"; L865: var execAsync = promisify7(exec); L866: async function runJscpd(targetPath, stagedFiles) {
    High
    Shell

    Package source references shell execution.

    dist/auditx.jsView on unpkg · L864
    872const targets = stagedFiles && stagedFiles.length > 0 ? stagedFiles.map((f) => `"${f}"`).join(" ") : `"${targetPath}"`; L873: await execAsync(`npx --yes jscpd ${targets} --reporters json --output "${tmpDir}" --silent`, { maxBuffer: 10 * 1024 * 1024 }); L874: } catch (e) {
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/auditx.jsView on unpkg · L872
    8import { resolve } from "path"; L9: import { execSync } from "child_process"; L10: ... L16: var TARGET_FILES = /* @__PURE__ */ new Set([ L17: "package.json", L18: "package-lock.json", ... L74: try { L75: const pkg = JSON.parse(readFileSync(pkgPath, "utf-8")); L76: if (pkg.dependencies) Object.keys(pkg.dependencies).forEach((d) => allDeps.add(d)); ... L132: import { existsSync as existsSync2, mkdirSync, createWriteStream, rmSync } from "fs"; L133: import https from "https"; L134: import * as tar from "tar";
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/auditx.jsView on unpkg · L8

    Findings

    1 Critical3 High3 Medium5 Low
    CriticalPrevious Version Dangerous Deltadist/auditx.js
    HighChild Processdist/auditx.js
    HighShelldist/auditx.js
    HighRuntime Package Installdist/auditx.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowWeak Cryptodist/auditx.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings