registry  /  devquest  /  0.3.0

devquest@0.3.0

A gamified terminal wrapper that rewards real development work with XP, levels, and achievements

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI intentionally wraps a user-supplied development command and stores local XP state.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `devquest <command>` or a built-in DevQuest command
Impact
Runs only the user's supplied command; writes XP state under the package-specific DevQuest home directory.
Mechanism
explicit command forwarding plus local gamification profile updates
Rationale
Static hints reflect ordinary CLI process spawning and environment-configurable package state. Source inspection found no install-time execution, exfiltration, stealth persistence, remote payload path, or foreign AI-agent control-surface mutation.
Evidence
package.jsonbin/devquest.jssrc/actions.jssrc/class.jssrc/commands.jssrc/xp.jssrc/achievements.jssrc/theme-dnd.js~/.devquest$DEVQUEST_HOME

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
    • `bin/devquest.js` executes only the command explicitly passed by the user, with `cross-spawn` and no shell.
    • `src/class.js` invokes fixed `git log` arguments solely to derive gamification class metadata.
    • `src/xp.js` reads/writes only the local DevQuest profile and lock under `DEVQUEST_HOME` or `~/.devquest`.
    • No source network client, credential harvesting, dynamic code loading, or AI-agent configuration path was found.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemShell
    Supply chainNo supply-chain packaging signals triggered.
    ManifestNo manifest risk signals triggered.
    scanned 7 file(s), 34.2 KB of source

    Source & flagged code

    2 flagged · loading source
    package.jsonView file
    name = devquest; similarTo = request
    Medium
    Typosquat Name

    Package name is suspiciously similar to a popular package name.

    package.jsonView on unpkg
    bin/devquest.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = devquest@0.2.0 matchedIdentity = npm:ZGV2cXVlc3Q:0.2.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
    High
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    bin/devquest.jsView on unpkg

    Findings

    1 High2 Medium2 Low
    HighPrevious Version Dangerous Deltabin/devquest.js
    MediumTyposquat Namepackage.json
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem