AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The lifecycle hook refreshes a package editor template in an existing Kinetik-style project, while runtime dynamic imports and networking are package-aligned game engine features.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall; user-invoked CLI/editor/runtime APIs
Impact
May update project src/editor.html during install when src exists; no evidence of exfiltration or control hijack.
Mechanism
project scaffold/template sync and game runtime module loading
Rationale
Static inspection shows suspicious primitives are aligned with a Three.js game engine and scaffold/editor workflow, not malware. The install hook mutates a project editor template but does not touch foreign AI-agent surfaces, persist, harvest secrets, or contact attacker endpoints.
Evidence
package.jsonsync-generated-editor-html.jsscriptManager.jsnetworking.jsinit.jsbin/create-kinetik-app.jsscaffold/electron-main.jsscaffold/scripts/run-electron.jssrc/editor.html.gitignoreelectron-main.jspreload.jsvite.config.jsscripts/run-electron.jssrc/index.htmlsrc/main.jssrc/game/editorSetup.jssrc/game/bootstrap.jssrc/game/globals.jssrc/game/ground.jssrc/game/player.jsscripts/scene.jsscripts/object.js
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines postinstall: node sync-generated-editor-html.js
- sync-generated-editor-html.js writes src/editor.html in INIT_CWD when a src directory exists
Evidence against
- postinstall only copies package scaffold/src/editor.html into project src/editor.html; no agent/control-surface writes found
- scriptManager.js dynamic import loads browser level scripts from gameState/object userData relative to window location
- networking.js uses fetch only after configureNet({apiBase}) and has no hardcoded exfiltration endpoint
- init.js/bin/create-kinetik-app.js are explicit scaffold generators copying project template files
- scaffold/electron-main.js file writes are editor save/import/export handlers for project assets and app userData
- No credential/env harvesting, remote code download, persistence hooks, destructive behavior, or prompt/reviewer manipulation found
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node sync-generated-editor-html.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgscriptManager.jsView file
25if (_moduleCache.has(url)) return _moduleCache.get(url);
L26: const mod = await import(url);
L27: _moduleCache.set(url, mod);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
scriptManager.jsView on unpkg · L25Findings
1 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic RequirescriptManager.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License