registry  /  periderm-cli  /  0.1.38

periderm-cli@0.1.38

Pre-launch scanner for web and mobile codebases. Context-aware checks for JS, TS, Flutter, React Native, and Swift.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface established. The package is a user-invoked CLI scanner that reads a target project, writes .periderm reports, stores login config, and calls package-aligned Periderm/Groq/update/error-report endpoints.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit periderm commands such as scan, login, review, watch, or CLI startup update check
Impact
Expected project scanning/report upload behavior; no install-time execution or stealth credential harvesting found
Mechanism
Authenticated scanner/reporting CLI with local report writes and package-aligned HTTP calls
Rationale
Static inspection shows scanner-like behavior aligned with the package purpose, including explicit report generation and authenticated uploads, with no lifecycle execution or covert exfiltration path. The scanner hint about dangerous delta appears noisy because dist/scanner/checks.js implements deterministic checks for user projects rather than attacking the install host.
Evidence
package.jsondist/bin.jsdist/index.jsdist/api.jsdist/config.jsdist/error-report.jsdist/review/deep.jsdist/scanner/context-agent.jsdist/scanner/index.jsdist/scanner/repo-checks.js~/.periderm/config.json.periderm/last-report.md.periderm/last-report.json.periderm/ai-instructions.md.periderm/.gitignore
Network endpoints8
registry.npmjs.org/${name}/latest${apiUrl}/api/public/verify-token${apiUrl}/api/public/scan${apiUrl}/api/policies${apiUrl}/api/public/deep-reviewapi.groq.com/openai/v1/chat/completionsformspree.io/f/mqakppnn${cfg.apiUrl}/api/public/report-error

Decision evidence

public snapshot
AI called this Clean at 92.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Observed network and file-write behavior only on explicit CLI commands: scan/login/review/update/crash reporting.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hook.
  • bin.js only imports CLI and runs update check on periderm invocation.
  • repo-checks.js reads target project files to produce scanner findings; no exfiltration or execution.
  • api.js uploads scan results to configured Periderm API after authenticated scan command.
  • config.js stores token in ~/.periderm/config.json with mode 0600 during login.
  • No child_process, eval/vm/Function, native binary, or persistence primitives found by source search.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 182 KB of source, external domains: 127.0.0.1, api.groq.com, formspree.io, registry.npmjs.org, www.w3.org, your-domain.com

Source & flagged code

2 flagged · loading source
dist/scanner/repo-checks.jsView file
313why: "Without code-splitting, a visitor to your landing page also downloads the admin dashboard, the settings screens, and every modal. First paint gets slower with every feature y... L314: fix: "Wrap heavy or rarely-used routes in React.lazy(() => import('./Route')) + <Suspense>, or use your router's built-in lazy() API. Split third-party charts, editors and 3D scene... L315: aiPrompt: `This project has ${routeFiles.length} route files but no dynamic import()/React.lazy usage. Identify the largest / least-visited routes (admin, settings, editors, charts...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/scanner/repo-checks.jsView on unpkg · L313
dist/scanner/checks.jsView file
matchType = previous_version_dangerous_delta matchedPackage = periderm-cli@0.1.37 matchedIdentity = npm:cGVyaWRlcm0tY2xp:0.1.37 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/scanner/checks.jsView on unpkg

Findings

1 Critical3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/scanner/checks.js
MediumDynamic Requiredist/scanner/repo-checks.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings