AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked CI/build CLI that uploads a selected directory, triggers builds, polls status, and downloads an artifact.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs catalyst upload/build/pull/run with API and token configuration.
Impact
User-selected project files may be uploaded to the configured Catalyst API and build artifacts may be written to the requested output path.
Mechanism
Authenticated project upload/build/download CLI workflow
Rationale
Static inspection shows package-aligned network and filesystem behavior activated only by CLI commands, with no lifecycle execution or hidden exfiltration primitives. Scanner warnings are explained by the documented Catalyst API client behavior and PAT-based authentication.
Evidence
package.jsonbin/catalyst.jssrc/index.jsREADME.mduser-supplied upload directoryuser-supplied --out path or artifact filename
Network endpoints3
www.dev.bcat.website/catalyst/apiwww.bcat.website/catalyst/apicaller-provided CATALYST_API or --api
Decision evidence
public snapshotAI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no lifecycle scripts; only bin maps catalyst to bin/catalyst.js.
- bin/catalyst.js only invokes exported main on user CLI execution.
- src/index.js reads only CATALYST_API/CATALYST_TOKEN or flags for explicit auth configuration.
- src/index.js zips a user-supplied directory for upload and skips common dependency/build/cache dirs.
- Network calls are tied to documented upload/build/pull commands and caller-provided API base.
- No child_process, eval/vm/Function, dynamic loading, persistence, credential harvesting, or install-time execution found.
Behavioral surface
EnvironmentVarsFilesystemNetwork
UrlStrings
Source & flagged code
1 flagged · loading sourcesrc/index.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = catalyst-cli@0.2.1
matchedIdentity = npm:Y2F0YWx5c3QtY2xp:0.2.1
similarity = 0.500
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
src/index.jsView on unpkgFindings
1 Critical2 Medium2 Low
CriticalPrevious Version Dangerous Deltasrc/index.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowUrl Strings