registry  /  datpath  /  1.0.2

datpath@1.0.2

datpath - 代码分发与管理工具

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a code distribution CLI/API client with user-invoked network operations and local credential config storage.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs datpath CLI commands or directly runs api_manager.js.
Impact
User-requested server communication and local file writes; api_manager.js can upload local .md package definitions to Datpath infrastructure when invoked.
Mechanism
Authenticated CLI posts encrypted command objects and can pull server-returned files into a user-selected directory.
Rationale
Static inspection shows suspicious but package-aligned primitives: network API calls, local config storage, and user-invoked file writes for a declared code distribution tool. There is no lifecycle execution, stealth exfiltration, persistence, destructive behavior, or agent control-surface mutation.
Evidence
package.jsonsrc/index.jssrc/api.jssrc/config.jssrc/crypto.jsbin/jsapi.jsapi_manager.jstest_crypto.js~/.datpath/config.json./jsapi_modules/<packageName>/<file.name>
Network endpoints3
${serverUrl}/remote/cli/requestapi-vip1.datpath.com/v2/codeup/default/0/jsapi/signature/checkapi-vip1.datpath.com/v2/codeup/default/0/jsapi/snapshot/push

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • User-invoked CLI stores server URL, uid, and password in ~/.datpath/config.json.
  • api_manager.js has a hardcoded Datpath API key and posts package contents to api-vip1.datpath.com when directly run.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • src/index.js only exports config, api, and crypto modules; no import-time execution beyond module loading.
  • bin/jsapi.js actions are explicit CLI commands requiring login/current server.
  • No child_process, eval, dynamic code loading, persistence hooks, or AI-agent control-surface writes found.
  • src/api.js network requests go to a user-supplied serverUrl for declared code distribution commands.
Behavioral surface
Source
CryptoFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 44.5 KB of source, external domains: api-vip1.datpath.com

Source & flagged code

2 flagged · loading source
test_crypto.jsView file
3patternName = generic_password severity = medium line = 3 matchedText = const pa...Xk="
Medium
Secret Pattern

Package contains a possible secret pattern.

test_crypto.jsView on unpkg · L3
api_manager.jsView file
10*/ L11: const axios = require("axios") L12: const fs = require("fs") L13: const path = require("path") L14: const FormData = require("form-data") L15: const crypto = require('crypto'); ... L44: let param = parseParam(args); L45: // 解码 Base64 密钥 L46: function aesEncrypt(data, key) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

api_manager.jsView on unpkg · L10

Findings

2 Medium5 Low
MediumSecret Patterntest_crypto.js
MediumNetwork
LowScripts Present
LowWeak Cryptoapi_manager.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings