registry  /  margins-cli  /  0.16.0

margins-cli@0.16.0

CLI for Margins — sync and review Markdown in Git

AI Security Review

scanned 2h ago · by lpm-firewall-ai

An explicit `margins open` command fetches a current private runtime package and executes its launcher. The reviewed package delegates executable behavior to code not present in this archive.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `margins open`.
Impact
A future private-registry runtime release can execute with the invoking user's permissions and receives package-registry authentication.
Mechanism
authenticated remote runtime installation and launcher execution
Rationale
No concrete malicious behavior is present in the inspected package itself, but its explicit open command downloads and executes an unpinned private runtime. That unresolved remote payload channel warrants a warning rather than a block.
Evidence
package.jsonbin/margins.jsdist/index.mjsdist/runtime-C34gpFId.mjsdist/open-DRI1TeIo.mjsdist/config-DVO9hXat.mjs~/.margins/runtime/<version>/<os.tmpdir>/margins-npmrc-*/.npmrc<runtime>/scripts/launcher.mjs
Network endpoints2
npm.pkg.github.comregistry.npmjs.org/

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/runtime-C34gpFId.mjs` resolves `GITHUB_TOKEN` or `gh auth token`.
  • `dist/runtime-C34gpFId.mjs` queries and installs unpinned latest `@alvistar/margins-light` from `npm.pkg.github.com`.
  • `dist/open-DRI1TeIo.mjs` spawns the downloaded runtime's `scripts/launcher.mjs`.
  • The runtime package is cached under `~/.margins/runtime/<version>/`.
Evidence against
  • `package.json` has only `prepublishOnly`; no preinstall/install/postinstall hook.
  • The downloader is reached through the explicit `margins open` command.
  • Child-process calls use `execFile` argument arrays rather than shell interpolation.
  • The temporary authenticated `.npmrc` is mode 0600 and removed in `finally`.
  • No source evidence of unrelated credential exfiltration, destructive behavior, or AI-agent control-surface writes.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 48 file(s), 729 KB of source, external domains: 127.0.0.1, auth.example.com, datatracker.ietf.org, github.com, json-schema.org, margins.thealvistar.com, npm.pkg.github.com, raw.githubusercontent.com, registry.npmjs.org

Source & flagged code

6 flagged · loading source
dist/runtime-C34gpFId.mjsView file
2import { _ as RuntimeIncompatibleError, f as NodeTooOldError, g as RuntimeAuthError, v as RuntimeInstallError, y as RuntimeNotPublishedError } from "./errors-bexNeFqt.mjs"; L3: import { execFile } from "node:child_process"; L4: import * as path$1 from "node:path";
High
Child Process

Package source references child process execution.

dist/runtime-C34gpFId.mjsView on unpkg · L2
dist/open-Cc1YSg33.mjsView file
87})(); L88: const powerShellPathFromWsl = async () => { L89: return `${await wslDrivesMountPoint()}[redacted].0/powershell.exe`;
High
Shell

Package source references shell execution.

dist/open-Cc1YSg33.mjsView on unpkg · L87
dist/config-DVO9hXat.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = margins-cli@0.13.0 matchedIdentity = npm:bWFyZ2lucy1jbGk:0.13.0 similarity = 0.619 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/config-DVO9hXat.mjsView on unpkg
3066ref: validation_error_1.default, L3067: code: (0, codegen_1._)`require("ajv/dist/runtime/validation_error").default` L3068: });
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/config-DVO9hXat.mjsView on unpkg · L3066
3105if (this.opts.code.process) sourceCode = this.opts.code.process(sourceCode, sch); L3106: const validate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode)(this, this.scope.get()); L3107: this.scope.value(validateName, { ref: validate });
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/config-DVO9hXat.mjsView on unpkg · L3105
dist/index.mjsView file
15Cross-file remote execution chain: dist/index.mjs spawns dist/config-DVO9hXat.mjs; helper contains network access plus dynamic code execution. L15: * Constructs the CommanderError class L16: * @param {number} exitCode suggested exit code which could be used with process.exit L17: * @param {string} code an id string representing the error ... L162: * @return {string} L163: * @private L164: */ ... L178: * TypeScript import types for JSDoc, used by Visual Studio Code IntelliSense and `npm run typescript-checkJS` L179: * https://www.typescriptlang.org/docs/handbook/jsdoc-supported-types.html#import-types L180: * @typedef { import("./argument.js").Argument } Argument ... L1027: const EventEmitter = __require("node:events").EventEmitter; L1028: const childProcess = __require("node:child_process"); L1029: const path = __require("node:path");
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.mjsView on unpkg · L15

Findings

1 Critical3 High4 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/config-DVO9hXat.mjs
HighChild Processdist/runtime-C34gpFId.mjs
HighShelldist/open-Cc1YSg33.mjs
HighCross File Remote Execution Contextdist/index.mjs
MediumDynamic Requiredist/config-DVO9hXat.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/config-DVO9hXat.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License