registry  /  samaro-uitest  /  1.0.1

samaro-uitest@1.0.1

Comprehensive testing framework for Angular with Vitest, Playwright, and Allure reporting

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Process execution and project writes are explicit testing/setup CLI features.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `samaro-init`, `samaro-test`, `samaro-allure`, or the Angular `ng add` schematic.
Impact
Creates or updates testing configuration and can run user-selected test/report commands in the current project.
Mechanism
User-invoked test framework setup, report generation, and configured application API helpers.
Rationale
The flagged primitives are aligned with an explicitly invoked Angular/Playwright/Allure testing toolkit. Static inspection found no install-time execution or concrete malicious chain.
Evidence
package.jsonbin/samaro-init.jsbin/samaro-allure.jsbin/samaro-test.jsschematics/ng-add/index.jsdist/helpers/api.js.gitignorevitest.config.tsplaywright.config.tsplaywright.component.config.tse2e/ct-tests/

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `bin/samaro-allure.js` invokes `npx allure` through `execSync`, but only for explicit `generate`/`open` commands.
  • `bin/samaro-test.js` enables a shell for a user-supplied test command.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook; `prepublishOnly` only builds.
  • `bin/samaro-init.js` only writes test configs, test files, scripts, and `.gitignore` after explicit CLI use.
  • `schematics/ng-add/index.js` performs package setup only through explicit Angular `ng add`.
  • `dist/helpers/api.js` targets the configured application API, defaulting to localhost; no hard-coded third-party endpoint.
  • No credential harvesting, exfiltration, payload download, persistence, AI-agent mutation, eval, or binary loading was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 40.3 KB of source, external domains: github.com

Source & flagged code

4 flagged · loading source
dist/helpers/auth.jsView file
74patternName = generic_password severity = medium line = 74 matchedText = password...3!',
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/helpers/auth.jsView on unpkg · L74
bin/samaro-allure.jsView file
2L3: import { execSync } from 'child_process'; L4: import fs from 'fs';
High
Child Process

Package source references child process execution.

bin/samaro-allure.jsView on unpkg · L2
36try { L37: execSync(`npx allure generate "${resultsPath}" --output "${reportPath}" --clean`, { L38: stdio: 'pipe',
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/samaro-allure.jsView on unpkg · L36
README.mdView file
199patternName = generic_password severity = medium line = 199 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in README.md

README.mdView on unpkg · L199

Findings

3 High3 Medium4 Low
HighChild Processbin/samaro-allure.js
HighShell
HighRuntime Package Installbin/samaro-allure.js
MediumSecret Patterndist/helpers/auth.js
MediumEnvironment Vars
MediumSecret PatternREADME.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowUrl Strings