AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI runs only after an explicit user invocation, wraps the command supplied by that user, and stores local progress metadata.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `devquest`/`dq` with a built-in command or a command to wrap.
Impact
The package can execute the user-requested wrapped command, read local Git log metadata, and create/update its own profile files; it has no install-time execution, exfiltration, remote payload, or agent-control mutation.
Mechanism
Direct argument spawning plus local `~/.devquest` profile/config persistence and local Git-history classification.
Rationale
Static inspection finds a conventional, explicitly invoked CLI wrapper with scoped local state. Scanner signals correspond to documented environment-variable configuration and user-supplied command execution, not a concrete malicious chain.
Evidence
package.jsonbin/devquest.jssrc/class.jssrc/config.jssrc/xp.js~/.devquest/config.json~/.devquest/profile.json~/.devquest/profile.lock
Decision evidence
public snapshotAI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
- `bin/devquest.js` executes a user-selected command through `cross-spawn`; this is its advertised wrapper function.
- `src/class.js` runs `git log` in the current working directory to classify local development history.
- `src/xp.js` persists gamification data under `$DEVQUEST_HOME` or `~/.devquest`.
Evidence against
- `package.json` contains no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
- No source module imports network APIs or contains runtime network endpoint strings.
- `bin/devquest.js` passes command arguments directly without `shell: true`; no eval, VM, or remote loading is present.
- `src/config.js` reads only local JSON configuration; `DEVQUEST_QUIET` and `DEVQUEST_HOME` only control local behavior and paths.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•name = devquest; similarTo = request
Medium
Typosquat Name
Package name is suspiciously similar to a popular package name.
package.jsonView on unpkgbin/devquest.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = devquest@0.4.0
matchedIdentity = npm:ZGV2cXVlc3Q:0.4.0
similarity = 0.750
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/devquest.jsView on unpkgFindings
1 High2 Medium3 Low
HighPrevious Version Dangerous Deltabin/devquest.js
MediumTyposquat Namepackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings