registry  /  kinetik-engine  /  0.1.9

kinetik-engine@0.1.9

Kinetik engine and project initializer for Three.js games

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The main risk is an install-time package-aligned overwrite of src/editor.html in an existing project with src/ present.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall, or user-invoked kinetik/create-kinetik-app and runtime game/editor APIs
Impact
Potential project editor template overwrite during install; no evidence of exfiltration, persistence, destructive behavior, or AI-agent control hijack.
Mechanism
local scaffold sync, project scaffolding, browser game script loading, and optional game networking
Rationale
The package contains a questionable postinstall project-file sync, but inspection shows it only copies a bundled editor template into a package-aligned game project path and does not mutate foreign AI-agent surfaces, steal data, persist, or execute remote code. Dynamic imports and network calls are runtime game-engine features controlled by scene metadata or caller configuration.
Evidence
package.jsonsync-generated-editor-html.jsscriptManager.jsnetworking.jsinit.jsbin/create-kinetik-app.jsscaffold/electron-main.jsscaffold/preload.jsscaffold/scripts/run-electron.jssrc/editor.htmlelectron-main.jspreload.jsvite.config.jsscripts/run-electron.jssrc/index.htmlsrc/main.jssrc/game/editorSetup.jssrc/game/bootstrap.jssrc/game/globals.jssrc/game/ground.jssrc/game/player.jsscripts/scene.jsscripts/object.jslevels/main.json
Network endpoints2
stun:stun.l.google.com:19302stun:stun1.l.google.com:19302

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall: node sync-generated-editor-html.js
  • sync-generated-editor-html.js writes INIT_CWD/src/editor.html when a src directory exists
  • scriptManager.js dynamically imports browser script paths from game scene/object metadata
Evidence against
  • postinstall source is local scaffold/src/editor.html and skips package-root installs or projects without src/
  • No credential/env harvesting beyond INIT_CWD; no secrets, tokens, home files, or agent control-surface writes found
  • networking.js uses caller-configured apiBase plus WebRTC/STUN for game networking, not hardcoded exfiltration
  • bin/create-kinetik-app.js and init.js scaffold a Three.js/Electron game project with bounded package files
  • Electron scaffold file writes are user/editor invoked for levels, saves, settings, and imported assets
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 33 file(s), 708 KB of source, external domains: www.w3.org

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node sync-generated-editor-html.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scriptManager.jsView file
25if (_moduleCache.has(url)) return _moduleCache.get(url); L26: const mod = await import(url); L27: _moduleCache.set(url, mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

scriptManager.jsView on unpkg · L25

Findings

1 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic RequirescriptManager.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License