registry  /  kinetik-engine  /  0.1.21

kinetik-engine@0.1.21

Kinetik engine and project initializer for Three.js games

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The only concrete risk is an install-time project mutation: postinstall may overwrite src/editor.html in the consuming project. No malicious exfiltration, persistence, remote payload fetching, or AI-agent control-surface mutation was found.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install in a project with src/ present
Impact
Potential unintended overwrite of project src/editor.html; no confirmed malware behavior
Mechanism
postinstall template sync writes a package scaffold HTML file
Attack narrative
On install, package.json runs sync-generated-editor-html.js. That script resolves INIT_CWD, skips package-root installs, and if the consumer project has a src directory it copies scaffold/src/editor.html into src/editor.html. This is a package-aligned editor template sync, but it is lifecycle-triggered and can modify a consumer project file without an explicit CLI invocation. No evidence shows data theft, persistence, remote command execution, or foreign AI-agent control hijack.
Rationale
kinetik-engine@0.1.21 is not malicious by source inspection, but the unprompted postinstall write into the consumer project is a real lifecycle side effect worth warning on. Other suspicious primitives are aligned with a Three.js game engine/editor scaffold and runtime networking APIs.
Evidence
package.jsonsync-generated-editor-html.jsinit.jsbin/create-kinetik-app.jsscriptManager.jsnetworking.jsscaffold/electron-main.jsscaffold/preload.jssrc/editor.html

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json defines postinstall: node sync-generated-editor-html.js
  • sync-generated-editor-html.js runs at install time and writes INIT_CWD/src/editor.html when a src directory exists
  • init.js and bin/create-kinetik-app.js scaffold project files, but are user-invoked CLI paths
Evidence against
  • No credential, env, home-directory, AI-agent config, shell startup, or VCS hook harvesting found
  • No hardcoded exfiltration endpoint; networking.js requires caller-supplied apiBase
  • scriptManager.js dynamic import loads game/editor script paths from browser runtime state
  • Electron file writes are scaffold app editor operations scoped to levels/assets/saves/settings or user save dialogs
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 34 file(s), 719 KB of source, external domains: www.w3.org

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node sync-generated-editor-html.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scriptManager.jsView file
25if (_moduleCache.has(url)) return _moduleCache.get(url); L26: const mod = await import(url); L27: _moduleCache.set(url, mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scriptManager.jsView on unpkg · L25

Findings

1 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic RequirescriptManager.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License