AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a React/Vite scaffolding CLI with explicit user-invoked init/dev commands; the risky primitives are aligned with that purpose.
Decision evidence
public snapshot- bin/dev.js spawns vite with shell:true on explicit `bmdl-sdk dev` command
- bin/init.js writes template files and replaces package scripts on explicit `bmdl-sdk init` command
- Package ships nested prior-version archives bmdl-sdk-1.3.12.tgz and bmdl-sdk-1.4.0.tgz
- package.json has no preinstall/install/postinstall lifecycle scripts
- bin/cli.js only dispatches explicit init/dev/build subcommands
- bin/init.js scaffolds src/public/tsconfig files from local templates; no credential reads or exfiltration
- bin/dev.js only starts local Vite dev server on port 3000
- rg found no fetch/http exfiltration, eval/vm, env harvesting, shell download, persistence, or AI-agent control writes
- Nested bmdl-sdk-1.3.12.tgz contents match prior package scaffolding behavior with no lifecycle scripts
Source & flagged code
4 flagged · loading sourcePackage ships compressed or archive-like blobs.
bmdl-sdk-1.3.12.tgzView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
bmdl-sdk-1.3.12.tgzView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/dev.jsView on unpkg