registry  /  gowalk-cicd  /  1.0.3

gowalk-cicd@1.0.3

Zero-config GitHub Actions delivery for iOS TestFlight and Android Google Play.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface. The explicit CLI installs mobile-delivery GitHub Actions and the installed action can perform documented deployment, metadata, and self-update operations in a consumer CI repository.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `gowalk-cicd`; installed workflow later runs on `main` pushes or manual dispatch.
Impact
Writes documented GitHub Actions files and, when enabled in CI, can commit signed-build/action refresh artifacts to the consumer repository.
Mechanism
User-invoked vendoring of CI actions plus package-aligned mobile deployment automation.
Rationale
Direct inspection shows a user-invoked CI installer for iOS/Android deployment, with broad but documented repository writes and CI capabilities. No lifecycle-triggered execution, stealth persistence, credential exfiltration, or unconsented foreign AI-agent control-surface mutation was found.
Evidence
package.jsonbin/cli.mjssrc/install.mjstemplates/deploy.ymlaction/action.ymlaction/scripts/autoupdate_check.shaction/scripts/asc_common.pyandroid-action/action.ymlandroid-action/scripts/resolve_android.pyandroid-action/scripts/bitrise_deploy.py.github/actions/swift-app/.github/actions/android-app/.github/workflows/deploy.ymlcreds/
Network endpoints3
api.appstoreconnect.apple.com/v1androidpublisher.googleapis.com/androidpublisher/v3api.bitrise.io/v0.1

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • Explicit CLI installer overwrites consumer `.github` action and workflow paths.
  • Vendored CI action can auto-update itself through `npm view` and `npx`, then stage and push action files.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • `bin/cli.mjs` invokes installation only when the user runs the CLI.
  • `src/install.mjs` confines writes to documented `.github/actions/*` and `.github/workflows/deploy.yml` paths.
  • Network calls target named delivery services: Apple App Store Connect, Google Play, and optional Bitrise.
  • No credential harvesting or exfiltration endpoint was found; credential files are used for declared signing/deployment.
  • AI inference is an opt-in CI metadata feature using GitHub Actions, not an agent-control-surface mutation.
Behavioral surface
Source
Filesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 9.48 KB of source

Source & flagged code

2 flagged · loading source
android-action/scripts/test_sign_bundle.pyView file
25patternName = generic_password severity = medium line = 25 matchedText = password...ord"
Medium
Secret Pattern

Package contains a possible secret pattern.

android-action/scripts/test_sign_bundle.pyView on unpkg · L25
path = android-action/scripts/test_sign_bundle.py kind = build_helper sizeBytes = 2486 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

android-action/scripts/test_sign_bundle.pyView on unpkg

Findings

2 Medium2 Low
MediumSecret Patternandroid-action/scripts/test_sign_bundle.py
MediumShips Build Helperandroid-action/scripts/test_sign_bundle.py
LowScripts Present
LowFilesystem