registry  /  periderm-cli  /  0.1.29

periderm-cli@0.1.29

A pre-launch checklist for your codebase. Scan JS, TS, JSX, and TSX projects before you ship.

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a CLI scanner that reads a target project when invoked and writes local reports under .periderm, with optional dashboard upload after authentication.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs periderm commands such as scan, review, login, or watch
Impact
No install-time execution, persistence, destructive behavior, or unconsented credential exfiltration identified.
Mechanism
User-invoked static analysis CLI with authenticated API calls
Rationale
Static inspection shows scanner and CLI behavior consistent with the package purpose; suspicious strings in dist/scanner/checks.js are detection patterns and AI repair prompts for user projects. Network and file writes occur on user-invoked commands and are aligned with authentication, update checks, reporting, and local scan output.
Evidence
package.jsondist/bin.jsdist/index.jsdist/api.jsdist/config.jsdist/update-notifier.jsdist/error-report.jsdist/scanner/checks.js.periderm/last-report.md.periderm/last-report.json.periderm/ai-instructions.md
Network endpoints3
registry.npmjs.org/${name}/latestperiderm-cli.vercel.appformspree.io/f/mqakppnn

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall hooks; only a user-invoked bin entrypoint.
    • dist/bin.js only starts update check, exception handlers, then imports CLI index.
    • dist/index.js writes reports under the scanned project .periderm directory during user-invoked scan/review commands.
    • Network calls are package-aligned: npm registry update check, Periderm API, and error reporting on command failures.
    • dist/scanner/checks.js contains scanner rules for detecting env leaks/secrets in target source, not credential harvesting by this package.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 22 file(s), 130 KB of source, external domains: 127.0.0.1, formspree.io, periderm-cli.vercel.app, registry.npmjs.org, www.w3.org, your-domain.com

    Source & flagged code

    1 flagged · loading source
    dist/scanner/checks.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = periderm-cli@0.1.27 matchedIdentity = npm:cGVyaWRlcm0tY2xp:0.1.27 similarity = 0.850 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    dist/scanner/checks.jsView on unpkg

    Findings

    1 Critical2 Medium4 Low
    CriticalPrevious Version Dangerous Deltadist/scanner/checks.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings