AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time attack surface. Explicit CLI commands can scaffold project workflows, self-update the package, and run developer-selected local tooling.
Decision evidence
public snapshot- `src/rastack-init.ts` explicitly scaffolds GitHub Actions and can invoke AWS deployment commands.
- `src/rastack-update.ts` explicitly runs `npm install -g rastack@...` for self-update.
- `src/tokens/compile.ts` requires a user-selected local token module.
- `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
- CLI execution requires an explicit `rastack` subcommand.
- AWS, npm, git, Cargo, and cloud actions are user-invoked developer tooling.
- No source evidence of credential harvesting, secret-file reads, or network exfiltration.
- No AI-agent configuration paths or foreign control-surface mutation were found.
- No binary/native payload files were present.
Source & flagged code
5 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
provider/wasm.tsView on unpkg · L12Package source references dynamic require/import behavior.
dist/rastack-compile.jsView on unpkg · L12Package source invokes a package manager install command at runtime.
src/rastack-update.tsView on unpkg · L14This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/rastack.jsView on unpkg