AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The main risk is a package-aligned postinstall refresh of src/editor.html and runtime game-script loading controlled by the application.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; user-invoked CLI; browser game runtime
Impact
Can update a consuming project's editor template during install, but no credential theft, persistence, exfiltration, or foreign AI-agent control mutation was found.
Mechanism
scaffold/template file copy and browser dynamic import
Rationale
The install hook is intrusive but limited to refreshing the package's own editor template in a project that already has src/, and the CLI scaffolding is explicit/user-invoked. Dynamic imports and network APIs are game-engine features with caller-supplied scripts/endpoints, not concrete malicious behavior.
Evidence
package.jsonsync-generated-editor-html.jsinit.jsbin/create-kinetik-app.jsscriptManager.jsnetworking.jsscaffold/electron-main.jsscaffold/scripts/run-electron.jssrc/editor.htmlelectron-main.jspreload.jsvite.config.jsscripts/run-electron.jssrc/index.htmlsrc/main.jssrc/game/editorSetup.jssrc/game/bootstrap.jssrc/game/globals.jssrc/game/ground.jssrc/game/player.jsscripts/scene.jsscripts/object.jslevels/main.json
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json has postinstall: node sync-generated-editor-html.js
- sync-generated-editor-html.js writes INIT_CWD/src/editor.html when a consuming project has src/
- scriptManager.js dynamically imports browser script paths from scene/object userData
Evidence against
- Postinstall only copies packaged scaffold/src/editor.html into package-aligned src/editor.html; no agent/control-surface files
- No hardcoded exfiltration endpoint; networking.js uses caller-configured apiBase
- No credential/env harvesting found; process.env only used for INIT_CWD and Electron launcher env copy
- bin/create-kinetik-app.js and init.js scaffold game project files only when CLI is invoked
- No shell startup, VCS hook, MCP, Claude, Codex, Cursor, or persistence writes found
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node sync-generated-editor-html.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgscriptManager.jsView file
25if (_moduleCache.has(url)) return _moduleCache.get(url);
L26: const mod = await import(url);
L27: _moduleCache.set(url, mod);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
scriptManager.jsView on unpkg · L25Findings
1 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic RequirescriptManager.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License