registry  /  devquest  /  0.4.0

devquest@0.4.0

A gamified terminal wrapper that rewards real development work with XP, levels, and achievements

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The explicit CLI wrapper executes a user-selected development command and records local XP state; class detection reads local Git history.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs devquest/dq with a built-in command or a command to wrap.
Impact
Runs the command explicitly supplied by the user; reads repository commit metadata and writes only DevQuest state.
Mechanism
User-invoked command wrapper with local profile/config persistence.
Rationale
Static source inspection shows a normal local gamification CLI with no install-time execution or remote/exfiltration behavior. The scanner's environment-variable and process-spawn signals are explained by configurable local state and explicit user-command wrapping.
Evidence
package.jsonbin/devquest.jssrc/config.jssrc/xp.jssrc/class.jssrc/actions.jssrc/commands.js~/.devquest/config.json~/.devquest/profile.json~/.devquest/profile.lock

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, postinstall, or prepare lifecycle hook.
    • bin/devquest.js only runs when the user invokes its CLI bin.
    • bin/devquest.js spawns the user-supplied wrapped command without a shell and inherits stdio.
    • src/xp.js only persists gamification state under ~/.devquest or DEVQUEST_HOME.
    • src/class.js runs fixed git log arguments against the current repository only.
    • No network, exfiltration, eval, dynamic loading, AI-agent config, or destructive APIs were found.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemShell
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 8 file(s), 44.5 KB of source

    Source & flagged code

    1 flagged · loading source
    package.jsonView file
    name = devquest; similarTo = request
    Medium
    Typosquat Name

    Package name is suspiciously similar to a popular package name.

    package.jsonView on unpkg

    Findings

    2 Medium3 Low
    MediumTyposquat Namepackage.json
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings