AI Security Review
scanned 11d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a static-analysis CLI that reads target source/config files and writes candor report artifacts when invoked.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes one of the candor-ts CLI binaries.
Impact
Expected local analysis side effects only; no exfiltration or unauthorized persistence identified.
Mechanism
Static analysis/report query tooling with user-directed filesystem reads and report writes.
Rationale
Source inspection shows powerful primitives are package-aligned and user-invoked, with no lifecycle execution, network exfiltration, credential harvesting, or AI-agent control-surface mutation. Scanner hints about dangerous deltas and env references are noisy for this static-analysis tool.
Evidence
package.jsonscan.mjswatch.mjsmcp.mjslsp.mjsquery.mjsAGENTS.md<outPrefix>.json<outPrefix>.callgraph.json<outPrefix>.hierarchy.json
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- watch.mjs exposes user-invoked subprocess capability by running node scan.mjs via spawnSync.
- AGENTS.md contains agent-facing instructions, but they are documentation shipped for the tool's intended workflow.
Evidence against
- package.json has no install/preinstall/postinstall/prepare lifecycle hooks.
- Bin entrypoints are explicit CLI tools: scan.mjs, query.mjs, mcp.mjs, watch.mjs, lsp.mjs.
- No source imports http/https/net/tls clients or performs fetch; URLs are documentation/repository links.
- scan.mjs writes only requested report outputs with atomic temp+rename under user-supplied/default prefix.
- mcp.mjs is report-query-only and confines policy-file reads to the report directory tree.
- No credential harvesting, persistence, destructive filesystem behavior, or import-time execution found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcewatch.mjsView file
16*/
L17: import { spawnSync } from "node:child_process";
L18: import crypto from "node:crypto";
...
L63: const r = spawnSync("node", [path.join(HERE, "scan.mjs"), target, "--out", out], { encoding: "utf8" });
L64: return { ok: r.status === 0, ms: Date.now() - t0, stderr: r.stderr };
L65: }
Low
scan.mjsView file
•matchType = previous_version_dangerous_delta
matchedPackage = candor-ts@0.8.2
matchedIdentity = npm:Y2FuZG9yLXRz:0.8.2
similarity = 0.625
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
scan.mjsView on unpkgFindings
1 Critical1 Medium5 Low
CriticalPrevious Version Dangerous Deltascan.mjs
MediumEnvironment Vars
LowScripts Present
LowWeak Cryptowatch.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings