registry  /  mbler  /  0.2.9-rc.2

mbler@0.2.9-rc.2

mcx DSL cli

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI performs filesystem and network actions only for explicit build, marketplace, and game-addon commands.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs mbler login, publish, install, uninstall, or build commands.
Impact
User-selected package archives may be downloaded to the configured Minecraft game directory; no silent install-time action is present.
Mechanism
Explicit PMNX marketplace publishing/installing and Minecraft addon deployment.
Rationale
Static inspection shows a user-invoked Minecraft addon build/marketplace CLI, not covert execution or exfiltration. Scanner signals map to documented marketplace authentication, package download, and build subprocess behavior.
Evidence
package.jsonbin/mbler.cjsbin/mcx-tsc.cjsdist/index.mjsdist/build.mjsREADME.md
Network endpoints2
d.pmnx.qzz.ioregistry.npmjs.com

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall, install, postinstall, or prepare hook.
    • bin/mbler.cjs only starts the exported CLI; bin/mcx-tsc.cjs runs the package build entry.
    • dist/index.mjs sends its stored PMNX token only during explicit login, publish, unpublish, or profile flows.
    • dist/index.mjs downloads and extracts marketplace add-ons only via the explicit install command.
    • No eval, vm, shell downloader, credential-file harvesting, AI-agent config mutation, or import-time network call found.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 5 file(s), 129 KB of source, external domains: d.pmnx.qzz.io, github.com, registry.npmjs.com

    Source & flagged code

    2 flagged · loading source
    package.jsonView file
    name = mbler; similarTo = multer
    Medium
    Typosquat Name

    Package name is suspiciously similar to a popular package name.

    package.jsonView on unpkg
    bin/mbler.cjsView file
    1#!/usr/bin/env node L2: const mbler = require('./../dist') L3:
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    bin/mbler.cjsView on unpkg · L1

    Findings

    4 Medium4 Low
    MediumTyposquat Namepackage.json
    MediumDynamic Requirebin/mbler.cjs
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings