registry  /  devquest  /  0.5.0

devquest@0.5.0

A gamified terminal wrapper that rewards real development work with XP, levels, and achievements

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI runs only after an explicit user invocation, wraps the command supplied by that user, and stores local progress metadata.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `devquest`/`dq` with a built-in command or a command to wrap.
Impact
The package can execute the user-requested wrapped command, read local Git log metadata, and create/update its own profile files; it has no install-time execution, exfiltration, remote payload, or agent-control mutation.
Mechanism
Direct argument spawning plus local `~/.devquest` profile/config persistence and local Git-history classification.
Rationale
Static inspection finds a conventional, explicitly invoked CLI wrapper with scoped local state. Scanner signals correspond to documented environment-variable configuration and user-supplied command execution, not a concrete malicious chain.
Evidence
package.jsonbin/devquest.jssrc/class.jssrc/config.jssrc/xp.js~/.devquest/config.json~/.devquest/profile.json~/.devquest/profile.lock

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `bin/devquest.js` executes a user-selected command through `cross-spawn`; this is its advertised wrapper function.
  • `src/class.js` runs `git log` in the current working directory to classify local development history.
  • `src/xp.js` persists gamification data under `$DEVQUEST_HOME` or `~/.devquest`.
Evidence against
  • `package.json` contains no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
  • No source module imports network APIs or contains runtime network endpoint strings.
  • `bin/devquest.js` passes command arguments directly without `shell: true`; no eval, VM, or remote loading is present.
  • `src/config.js` reads only local JSON configuration; `DEVQUEST_QUIET` and `DEVQUEST_HOME` only control local behavior and paths.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 43.3 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
name = devquest; similarTo = request
Medium
Typosquat Name

Package name is suspiciously similar to a popular package name.

package.jsonView on unpkg
bin/devquest.jsView file
matchType = previous_version_dangerous_delta matchedPackage = devquest@0.4.0 matchedIdentity = npm:ZGV2cXVlc3Q:0.4.0 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/devquest.jsView on unpkg

Findings

1 High2 Medium3 Low
HighPrevious Version Dangerous Deltabin/devquest.js
MediumTyposquat Namepackage.json
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings