AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Risky primitives are limited to explicit developer commands for scaffolding and starting Vite.
Decision evidence
public snapshot- bmdl-sdk-1.5.0.tgz contains nested prior-version archives bmdl-sdk-1.3.12.tgz and bmdl-sdk-1.4.0.tgz.
- bin/dev.js uses child_process.spawn with shell:true to run npx vite, but only on explicit bmdl-sdk dev.
- package.json has no preinstall/install/postinstall lifecycle hooks.
- bin/cli.js only dispatches explicit init/dev/build commands.
- bin/init.js writes template project files and package scripts only after explicit bmdl-sdk init.
- No credential harvesting, destructive file operations, or exfiltration endpoints found by source search.
- Network references are localhost dev server/SVG namespace only.
- Nested archives list package source contents and are not loaded or executed by entrypoints.
Source & flagged code
7 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/dev.jsView on unpkgPackage source invokes a package manager install command at runtime.
bin/dev.jsView on unpkg · L45Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
bmdl-sdk-1.5.0.tgzView on unpkg