registry  /  kinetik-engine  /  0.1.20

kinetik-engine@0.1.20

Kinetik engine and project initializer for Three.js games

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious payload was found. The main residual risk is an npm postinstall hook that can overwrite a package-aligned project editor file in the installing project.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install in a project with an existing src directory
Impact
May modify INIT_CWD/src/editor.html without an explicit CLI command, but inspected content is a bundled editor template and no exfiltration or persistence was found.
Mechanism
install-time scaffold editor HTML sync
Attack narrative
During installation, the postinstall script resolves INIT_CWD or cwd and, if a src directory exists, copies the package's bundled scaffold/src/editor.html to src/editor.html. This is unconsented project mutation at install time, but inspection did not find malicious content in the hook, hidden network endpoints, credential harvesting, persistence, or AI-agent control-surface writes.
Rationale
The package is not malicious by source inspection, but the install-time project file rewrite is a real lifecycle risk worth warning on. Other suspicious primitives are package-aligned game/editor features or user-invoked scaffolding.
Evidence
package.jsonsync-generated-editor-html.jsscriptManager.jsnetworking.jsinit.jsbin/create-kinetik-app.jsscaffold/electron-main.jssrc/editor.htmlscaffold/src/editor.html

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node sync-generated-editor-html.js
  • sync-generated-editor-html.js writes bundled scaffold/src/editor.html to INIT_CWD/src/editor.html when src exists
  • init.js and bin/create-kinetik-app.js scaffold project files, but only via explicit CLI/init invocation
Evidence against
  • No credential, env, home-directory, AI-agent, persistence, or exfiltration logic found
  • scriptManager.js dynamic import loads level/editor script paths in browser runtime, aligned with game scripting
  • networking.js fetches only caller-configured apiBase for WebRTC signaling; no hardcoded collection endpoint
  • scaffold/electron-main.js file writes are editor save/import operations under project or Electron userData
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 34 file(s), 722 KB of source, external domains: www.w3.org

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node sync-generated-editor-html.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scriptManager.jsView file
25if (_moduleCache.has(url)) return _moduleCache.get(url); L26: const mod = await import(url); L27: _moduleCache.set(url, mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scriptManager.jsView on unpkg · L25

Findings

1 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic RequirescriptManager.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License