registry  /  kinetik-engine  /  0.1.11

kinetik-engine@0.1.11

Kinetik engine and project initializer for Three.js games

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The install hook is a package-aligned scaffold sync that may update src/editor.html in a consuming Kinetik project, and runtime dynamic imports are game scripting features.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; explicit CLI/init; runtime game level loading
Impact
project editor template may be refreshed; app-provided game scripts may execute in browser context
Mechanism
bundled scaffold copy and browser game script loading
Rationale
Source inspection shows the suspicious primitives are aligned with a Three.js game engine/scaffolder and do not perform exfiltration, persistence, lifecycle shell execution, or foreign AI-agent control-surface mutation. The postinstall write is narrow to a project editor template when a src directory exists, so it does not justify a block or warning under the provided policy.
Evidence
package.jsonsync-generated-editor-html.jsscriptManager.jsbin/create-kinetik-app.jsinit.jsnetworking.jssrc/editor.htmlscaffold/src/editor.html

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • postinstall runs sync-generated-editor-html.js and can write src/editor.html in installer project when src/ exists
Evidence against
  • postinstall copies only package scaffold/src/editor.html into project src/editor.html; no agent/control-surface files or persistence
  • sync-generated-editor-html.js uses INIT_CWD/package paths only and has no network, shell, credential, or env harvesting beyond INIT_CWD
  • scriptManager.js dynamic import loads browser game scripts from level/userData paths at runtime, package-aligned extensibility
  • bin/create-kinetik-app.js and init.js scaffold a Kinetik app from bundled scaffold files on explicit CLI/init use
  • networking.js only defines app-configured browser WebRTC/signaling helpers; no hardcoded exfiltration endpoint
  • No credential collection, lifecycle child_process execution, destructive behavior, or AI-agent control writes found
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 34 file(s), 716 KB of source, external domains: www.w3.org

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node sync-generated-editor-html.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scriptManager.jsView file
25if (_moduleCache.has(url)) return _moduleCache.get(url); L26: const mod = await import(url); L27: _moduleCache.set(url, mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scriptManager.jsView on unpkg · L25

Findings

1 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic RequirescriptManager.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License