registry  /  kinetik-engine  /  0.1.15

kinetik-engine@0.1.15

Kinetik engine and project initializer for Three.js games

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a game engine/project scaffold with an install-time template sync and runtime game scripting/networking features that are package-aligned.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install may run postinstall; user-run CLI initializes a project; game runtime may load configured scripts/networking
Impact
May update a project editor template during install, but no evidence of credential theft, persistence, exfiltration, or agent hijack
Mechanism
project scaffold/template sync plus runtime game module loading
Rationale
Static inspection shows suspicious primitives, but they are aligned with a Three.js game engine/scaffold: install-time template sync, user-invoked project creation, runtime game script loading, and optional user-configured WebRTC signaling. No concrete malicious behavior, exfiltration, persistence, or AI-agent control-surface mutation was found.
Evidence
package.jsonsync-generated-editor-html.jsinit.jsbin/create-kinetik-app.jsscriptManager.jsnetworking.jsscaffold/electron-main.jsscaffold/scripts/run-electron.jssrc/editor.htmlelectron-main.jspreload.jsvite.config.jsscripts/run-electron.jssrc/index.htmlsrc/main.jssrc/game/editorSetup.jssrc/game/bootstrap.jssrc/game/globals.jssrc/game/ground.jssrc/game/player.jsscripts/scene.jsscripts/object.jslevels/main.json
Network endpoints2
stun:stun.l.google.com:19302stun:stun1.l.google.com:19302

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node sync-generated-editor-html.js
  • sync-generated-editor-html.js can overwrite INIT_CWD/src/editor.html from package scaffold when a src directory exists
  • scriptManager.js dynamically imports game/editor script paths from runtime level/object metadata
  • networking.js performs WebRTC signaling to a user-configured apiBase and uses Google STUN servers
Evidence against
  • postinstall only copies scaffold/src/editor.html into the installing project and skips package-root installs or projects without src/
  • No credential/env harvesting found; process.env use is limited to INIT_CWD and Electron child env passthrough
  • No hardcoded exfiltration host; networking endpoint is configured by the app user
  • No AI-agent control-surface writes, shell startup persistence, VCS hooks, or broad home-directory mutation found
  • CLI bin creates a Three.js/Electron scaffold with local files under the selected target directory
  • child_process usage is confined to scaffold/scripts/run-electron.js launching Electron for the generated app
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 34 file(s), 719 KB of source, external domains: www.w3.org

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node sync-generated-editor-html.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scriptManager.jsView file
25if (_moduleCache.has(url)) return _moduleCache.get(url); L26: const mod = await import(url); L27: _moduleCache.set(url, mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scriptManager.jsView on unpkg · L25

Findings

1 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic RequirescriptManager.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License