registry  /  injectlint  /  0.1.0

injectlint@0.1.0

Pipe untrusted text in and watch prompt injections light up red in your terminal. A best-effort detector, not a guardrail.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a local CLI/library for detecting prompt-injection patterns in user-provided stdin text.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs injectlint CLI or imports library APIs.
Impact
Flags suspicious input lines; no exfiltration, persistence, install-time mutation, or destructive behavior observed.
Mechanism
local text scanning and report rendering
Rationale
Static source inspection shows suspicious strings are package-aligned detection rules and documentation examples. There is no concrete malware behavior or unconsented install/import-time side effect.
Evidence
package.jsonREADME.mddist/cli.jsdist/index.jsdist/scan.jsdist/normalize.jsdist/patterns.jsdist/report.jsdist/render.jsdist/types.js

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • README.md and dist/patterns.js contain prompt-injection strings and Unicode/bidi samples as detector fixtures/rules, not executed payloads.
Evidence against
  • package.json has no preinstall/install/postinstall hook; only prepublishOnly build script.
  • dist/cli.js reads stdin, scans text, writes stdout/stderr, and exits; no network, shell, file writes, or persistence.
  • dist/index.js only re-exports scanner/render/report APIs.
  • dist/scan.js and dist/normalize.js perform local regex matching, Unicode normalization, and bounded base64/percent decoding.
  • rg found no child_process, eval/Function, filesystem writes, or runtime network APIs.
Behavioral surface
Source
ChildProcessEnvironmentVars
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 66.6 KB of source, external domains: example.com

Source & flagged code

3 flagged · loading source
README.mdView file
- INSTRUCTION-OVERRIDE: "ignore previous instructions", role escalation ("you are now DAN"), and system-prompt extraction attempts.
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg
dist/patterns.jsView file
73contains invisible/control Unicode U+202E (right-to-left override) { id: 'jp-044', class: 'INSTRUCTION-OVERRIDE', severity: 'high', kind: 'phrase', pattern: '<U+202E>redro suoiverp erongi' },
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/patterns.jsView on unpkg · L73
Trigger-reachable chain: manifest.main -> dist/index.js -> dist/scan.js -> dist/patterns.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/patterns.jsView on unpkg

Findings

2 Critical1 High2 Medium4 Low
CriticalTrojan Source Unicodedist/patterns.js
CriticalTrigger Reachable Dangerous Capabilitydist/patterns.js
HighAi Reviewer ManipulationREADME.md
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings