AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI intentionally wraps a user-supplied development command and stores local XP state.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `devquest <command>` or a built-in DevQuest command
Impact
Runs only the user's supplied command; writes XP state under the package-specific DevQuest home directory.
Mechanism
explicit command forwarding plus local gamification profile updates
Rationale
Static hints reflect ordinary CLI process spawning and environment-configurable package state. Source inspection found no install-time execution, exfiltration, stealth persistence, remote payload path, or foreign AI-agent control-surface mutation.
Evidence
package.jsonbin/devquest.jssrc/actions.jssrc/class.jssrc/commands.jssrc/xp.jssrc/achievements.jssrc/theme-dnd.js~/.devquest$DEVQUEST_HOME
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- `bin/devquest.js` executes only the command explicitly passed by the user, with `cross-spawn` and no shell.
- `src/class.js` invokes fixed `git log` arguments solely to derive gamification class metadata.
- `src/xp.js` reads/writes only the local DevQuest profile and lock under `DEVQUEST_HOME` or `~/.devquest`.
- No source network client, credential harvesting, dynamic code loading, or AI-agent configuration path was found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•name = devquest; similarTo = request
Medium
Typosquat Name
Package name is suspiciously similar to a popular package name.
package.jsonView on unpkgbin/devquest.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = devquest@0.2.0
matchedIdentity = npm:ZGV2cXVlc3Q:0.2.0
similarity = 0.667
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/devquest.jsView on unpkgFindings
1 High2 Medium2 Low
HighPrevious Version Dangerous Deltabin/devquest.js
MediumTyposquat Namepackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem