registry  /  auditx  /  0.1.29

auditx@0.1.29

One command. Every vulnerability, dead code, and AI-generated code anti-pattern. JSON output built for AI coding agents to parse and self-fix.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface: risky primitives are tied to an audit scanner CLI and explicit subcommands. Agent-control files and Git hooks are not installed during npm lifecycle.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit user CLI actions such as `auditx init-agent`, `auditx hook install`, `auditx install`, `--ai`, `--fix`, or `--sbom`.
Impact
User-invoked writes to project audit files/hooks and package-aligned scanner execution; no unconsented install-time persistence or exfiltration found.
Mechanism
Security scanner orchestration with optional agent setup, hooks, downloads, and AI summary calls
Rationale
Static inspection shows an audit tool with powerful but package-aligned, user-invoked capabilities; there are no lifecycle hooks or import-time mutations of foreign agent control surfaces. The scanner hints map to expected CLI scanner downloads, Git hook integration, optional AI summaries, and local report generation rather than malicious behavior.
Evidence
package.jsondist/auditx.jsdist/chunk-7V2JCXKE.jsdist/agent-init-LLOLZMAP.jsdist/hook-XMKHTGQD.jsdist/mcp-server.js~/.auditx/config.json~/.auditx/bin~/.auditx/semgrep-homeAGENTS.md.cursor/rules/auditx.mdc.cursorrules.github/copilot-instructions.md.claude/skills/auditx/SKILL.md.git/hooks/pre-commit.git/hooks/pre-pushaudit-report.md.auditxignoresbom.json
Network endpoints6
github.com/gitleaks/gitleaks/releases/download/github.com/aquasecurity/trivy/releases/download/github.com/semgrep/semgrep/releases/download/github.com/trufflesecurity/trufflehog/releases/download/github.com/google/osv-scanner/releases/download/github.com/koalaman/shellcheck/releases/download/

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • User-invoked `auditx init-agent` writes agent instruction files including `AGENTS.md`, `.cursor/rules/auditx.mdc`, and `.claude/skills/auditx/SKILL.md`.
  • User-invoked `auditx hook install` can write Git hooks and run background audit scans after merge/checkout.
  • Runtime scanner setup downloads external security tools into `~/.auditx/bin` and can run `npm install -g`/`pip install` only via `auditx install` or scanner use.
Evidence against
  • `package.json` has no npm lifecycle hooks; install/import does not trigger agent-file or hook mutation.
  • Agent and Git hook writes are reachable only through explicit CLI subcommands, not package install.
  • AI API keys are read from env or `~/.auditx/config.json` for opt-in `--ai`; no credential harvesting or exfiltration loop found.
  • Network activity is package-aligned: GitHub release downloads for scanners and user-selected AI provider APIs.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 123 KB of source, external domains: github.com, osv.dev, semgrep.dev, trivy.dev

Source & flagged code

5 flagged · loading source
dist/auditx.jsView file
matchType = previous_version_dangerous_delta matchedPackage = auditx@0.1.23 matchedIdentity = npm:YXVkaXR4:0.1.23 similarity = 0.600 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/auditx.jsView on unpkg
20import { resolve, join as join2 } from "path"; L21: import { execSync } from "child_process"; L22:
High
Child Process

Package source references child process execution.

dist/auditx.jsView on unpkg · L20
915try { L916: execSync("npx eslint --fix .", { cwd: targetDir, stdio: "inherit" }); L917: console.log(chalk3.green(" [+] eslint --fix applied"));
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/auditx.jsView on unpkg · L915
20import { resolve, join as join2 } from "path"; L21: import { execSync } from "child_process"; L22: ... L130: { L131: exitCode: urgentCount > 0 ? 1 : 0, L132: urgentCount, ... L145: lines.push(""); L146: lines.push(`*Generated by [auditx](https://github.com/parth308/auditx) \xB7 MIT License*`); L147: return lines.join("\n"); ... L358: import chalk2 from "chalk"; L359: var CONFIG_DIR = join(homedir(), ".auditx"); L360: var CONFIG_FILE = join(CONFIG_DIR, "config.json");
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/auditx.jsView on unpkg · L20
dist/chunk-7V2JCXKE.jsView file
1034import { promisify as promisify9 } from "util"; L1035: var execAsync = promisify9(exec); L1036: async function runCspell(targetDir, stagedFiles) {
High
Shell

Package source references shell execution.

dist/chunk-7V2JCXKE.jsView on unpkg · L1034

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/auditx.js
HighChild Processdist/auditx.js
HighShelldist/chunk-7V2JCXKE.js
HighRuntime Package Installdist/auditx.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/auditx.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings