registry  /  auditx  /  0.1.31

auditx@0.1.31

One command. Every vulnerability, dead code, and AI-generated code anti-pattern. JSON output built for AI coding agents to parse and self-fix.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

User-invoked CLI can download scanner binaries and run local audit tools; MCP server exposes the same scan capability over stdio. Agent and git hook config writes are explicit commands, not install-time behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs auditx, auditx install, auditx hook install, auditx init-agent, or auditx-mcp
Impact
No confirmed malicious attack surface; effects are package-aligned and user-invoked.
Mechanism
security scanner CLI with optional AI summary, scanner downloads, git hooks, and agent instruction templates
Rationale
The risky primitives are consistent with an audit tool: explicit commands install known scanner tools, scan files, write reports/baselines/SBOMs, and optionally write first-party agent or git hook config. There is no lifecycle execution, stealth persistence, credential harvesting beyond user-provided AI keys for selected providers, or unconsented mutation of broad AI-agent control surfaces.
Evidence
package.jsondist/auditx.jsdist/mcp-server.jsdist/chunk-F65ZON42.jsdist/scan-STHHVX2A.jsdist/install-C5GVDS4N.jsdist/agent-init-LLOLZMAP.jsdist/hook-XMKHTGQD.js~/.auditx/bin~/.auditx/config.jsonaudit-report.mdsbom.json.auditxignoreauditx.ymlAGENTS.md.cursor/rules/auditx.mdc.cursorrules.github/copilot-instructions.md.claude/skills/auditx/SKILL.md.git/hooks/pre-commit.git/hooks/pre-push
Network endpoints5
github.com/gitleaks/gitleaks/releases/download/github.com/aquasecurity/trivy/releases/download/github.com/trufflesecurity/trufflehog/releases/download/github.com/google/osv-scanner/releases/download/github.com/koalaman/shellcheck/releases/download/

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • User-invoked `auditx install` downloads scanner binaries and installs scanner packages.
  • `auditx init-agent` writes AGENTS/Cursor/Copilot/Claude audit instructions when explicitly run.
  • `auditx hook install` writes git hooks that run auditx scans when explicitly run.
  • Optional `--ai` sends generated audit summary prompts to selected AI provider using env/config API keys.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Bin entrypoint only dispatches commands after user execution.
  • MCP server exposes a stdio `audit_codebase` scan tool; it does not auto-run on install/import.
  • Network URLs are package-aligned scanner releases or AI SDK calls, not hidden exfil endpoints.
  • No evidence of credential/file harvesting, destructive behavior, stealth persistence, or remote payload execution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 126 KB of source, external domains: auditx-cli.vercel.app, github.com, osv.dev, raw.githubusercontent.com, semgrep.dev, trivy.dev

Source & flagged code

2 flagged · loading source
dist/chunk-MF3P6HJM.jsView file
matchType = previous_version_dangerous_delta matchedPackage = auditx@0.1.30 matchedIdentity = npm:YXVkaXR4:0.1.30 similarity = 0.400 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-MF3P6HJM.jsView on unpkg
8import { join } from "path"; L9: import { execSync } from "child_process"; L10: var MAX_DEPTH = 4; ... L12: var TARGET_FILES = /* @__PURE__ */ new Set([ L13: "package.json", L14: "package-lock.json", ... L73: try { L74: const pkg = JSON.parse(readFileSync(pkgPath, "utf-8")); L75: if (pkg.dependencies) Object.keys(pkg.dependencies).forEach((d) => allDeps.add(d)); ... L207: } L208: const { stdout } = await execFileAsync( L209: bin,
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/chunk-MF3P6HJM.jsView on unpkg · L8

Findings

1 High2 Medium5 Low
HighPrevious Version Dangerous Deltadist/chunk-MF3P6HJM.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptodist/chunk-MF3P6HJM.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings