registry  /  docspress  /  0.1.1

docspress@0.1.1

Sync Markdown docs to WordPress Pages as Gutenberg content from GitHub Actions.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Package behavior is aligned with syncing Markdown documentation to WordPress pages and an explicit OAuth token helper.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
GitHub Action execution or explicit `docspress token` command
Impact
Creates, updates, or deletes managed WordPress pages using the provided token; optionally stores WP_ACCESS_TOKEN via gh when requested
Mechanism
WordPress docs sync and explicit OAuth token creation
Rationale
Source inspection found no install-time execution, credential exfiltration, stealth persistence, or unconsented control-surface mutation. Network use, child process use, and token handling are package-aligned and activated by documented user workflows.
Evidence
package.jsonaction.ymlsrc/index.jssrc/wordpress.jssrc/sync.jssrc/docs.jsscripts/create-wordpress-token.mjsbin/docspress.mjsdist/index.js
Network endpoints4
public-api.wordpress.compublic-api.wordpress.com/oauth2/authorizepublic-api.wordpress.com/oauth2/tokenlocalhost:8787/callback

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks; only main dist/index.js and bin/docspress.mjs are exposed.
    • src/index.js reads GitHub Action inputs and syncs docs to WordPress via WordPressClient; execution is user-invoked action runtime.
    • src/wordpress.js sends Authorization bearer token only to configured WordPress API pages endpoints.
    • scripts/create-wordpress-token.mjs is an explicit token helper; OAuth endpoints are WordPress.com and optional gh secret set is gated by --set-secret.
    • bin/docspress.mjs only dispatches the user command `docspress token` to the package token helper.
    • dist/index.js is an ncc bundle of src and dependencies; eval/Function hits are dependency parser code, not a hidden payload loader.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 12 file(s), 1.95 MB of source, external domains: developer.mozilla.org, docs.github.com, feross.org, fetch.spec.whatwg.org, github.com, infra.spec.whatwg.org, mimesniff.spec.whatwg.org, nodejs.org, public-api.wordpress.com, stackoverflow.com, streams.spec.whatwg.org, tools.ietf.org, url.spec.whatwg.org, w3c.github.io, www.rfc-editor.org, www.unicode.org

    Source & flagged code

    8 flagged · loading source
    bin/docspress.mjsView file
    1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import path from "node:path";
    High
    Child Process

    Package source references child process execution.

    bin/docspress.mjsView on unpkg · L1
    dist/index.jsView file
    2062} L2063: // https://github.com/typescript-eslint/typescript-eslint/issues/60 L2064: // eslint-disable-next-line no-redeclare ... L2848: if (index === filepaths.length - 1) { L2849: stream.end(); L2850: } ... L2961: this.concurrency = this._getValue(this._options.concurrency, CPU_COUNT); L2962: this.cwd = this._getValue(this._options.cwd, process.cwd()); L2963: this.deep = this._getValue(this._options.deep, Infinity); ... L3521: L3522: let start = String.fromCharCode(a); L3523: if (a === b) return start;
    High
    Obfuscated Payload Loader

    Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

    dist/index.jsView on unpkg · L2062
    2062Cross-file remote execution chain: dist/index.js spawns dist/sourcemap-register.cjs; helper contains network access plus dynamic code execution. L2062: } L2063: // https://github.com/typescript-eslint/typescript-eslint/issues/60 L2064: // eslint-disable-next-line no-redeclare ... L2848: if (index === filepaths.length - 1) { L2849: stream.end(); L2850: } ... L2961: this.concurrency = this._getValue(this._options.concurrency, CPU_COUNT); L2962: this.cwd = this._getValue(this._options.cwd, process.cwd()); L2963: this.deep = this._getValue(this._options.deep, Infinity); ... L3521: L3522: let start = String.fromCharCode(a); L3523: if (a === b) return start;
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/index.jsView on unpkg · L2062
    4018} L4019: return eval(str) || {}; L4020: } catch (err) {
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/index.jsView on unpkg · L4018
    2062} L2063: // https://github.com/typescript-eslint/typescript-eslint/issues/60 L2064: // eslint-disable-next-line no-redeclare ... L2848: if (index === filepaths.length - 1) { L2849: stream.end(); L2850: } ... L2961: this.concurrency = this._getValue(this._options.concurrency, CPU_COUNT); L2962: this.cwd = this._getValue(this._options.cwd, process.cwd()); L2963: this.deep = this._getValue(this._options.deep, Infinity); ... L3521: L3522: let start = String.fromCharCode(a); L3523: if (a === b) return start;
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/index.jsView on unpkg · L2062
    dist/sourcemap-register.cjsView file
    1(()=>{var e={296:e=>{var r=Object.prototype.toString;var n=typeof Buffer!=="undefined"&&typeof Buffer.alloc==="function"&&typeof Buffer.allocUnsafe==="function"&&typeof Buffer.from...
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/sourcemap-register.cjsView on unpkg · L1
    scripts/create-wordpress-token.mjsView file
    matchType = previous_version_dangerous_delta matchedPackage = docspress@0.1.0 matchedIdentity = npm:ZG9jc3ByZXNz:0.1.0 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    scripts/create-wordpress-token.mjsView on unpkg
    1#!/usr/bin/env node L2: import { spawn } from "node:child_process"; L3: import crypto from "node:crypto"; L4: import http from "node:http"; L5: ... L133: if (error) { L134: response.end("Authorization failed. You can close this tab."); L135: reject(new Error(error)); ... L186: }); L187: const text = await response.text(); L188: const data = text ? JSON.parse(text) : {}; ... L197: function openBrowser(url) {
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    scripts/create-wordpress-token.mjsView on unpkg · L1

    Findings

    1 Critical5 High4 Medium6 Low
    CriticalPrevious Version Dangerous Deltascripts/create-wordpress-token.mjs
    HighChild Processbin/docspress.mjs
    HighShell
    HighSandbox Evasion Gated Capabilityscripts/create-wordpress-token.mjs
    HighObfuscated Payload Loaderdist/index.js
    HighCross File Remote Execution Contextdist/index.js
    MediumDynamic Requiredist/sourcemap-register.cjs
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowEvaldist/index.js
    LowWeak Cryptodist/index.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings