AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. Shell, network, filesystem, and deployment actions are explicit user-invoked CLI features for local project generation, AWS deployment, schema retrieval, and self-update.
Decision evidence
public snapshot- package.json has no lifecycle hooks; install does not execute package code.
- runtime.ts only re-exports library modules; no import-time mutation or network call.
- src/rastack-update.ts runs npm only for explicit `rastack update` requests and uses execFileSync.
- src/rastack-ci.ts and src/deploy/ci.ts perform AWS/curl deployment steps only through explicit CLI CI/deploy commands.
- provider/wasm.ts dynamic import loads the package’s documented local WASM module, not a remote payload.
- No source references to AI-agent configuration paths or credential harvesting/exfiltration were found.
Source & flagged code
5 flagged · loading sourcePackage source references a known benign dynamic code generation pattern.
provider/wasm.tsView on unpkg · L12Package source references dynamic require/import behavior.
dist/rastack-compile.jsView on unpkg · L12Package source invokes a package manager install command at runtime.
src/rastack-update.tsView on unpkg · L14This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/rastack.jsView on unpkg