registry  /  sandstream-kit  /  3.1.0

sandstream-kit@3.1.0

developer kit. zero LLM, local-first, multi-vault. one command from git clone to working dev environment.

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface found. Risky primitives are aligned with a developer security/automation CLI and are gated by explicit user commands or local configuration.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes kit CLI/MCP commands such as setup, agent-config, plugin install, memory sync, audit, or checks.
Impact
Expected project/tooling configuration changes; no evidence of unconsented install/import-time execution, credential exfiltration, persistence, or destructive behavior.
Mechanism
developer tooling with user-invoked filesystem writes, subprocesses, plugin loading, and optional network checks
Rationale
Static source inspection shows a broad developer kit with security scanners, agent configuration helpers, and opt-in hooks; the suspicious primitives are documented and user-invoked rather than hidden lifecycle behavior. No credential harvesting/exfiltration, malicious persistence, or unconsented AI-agent control-surface mutation was confirmed.
Evidence
package.jsondist/cli.jsdist/agent-config.jsdist/plugins.jsdist/plugin-loader.jsdist/memory/remote-sync.jsdist/audit-anchor.jsdist/update-check.js.kit.tomlCLAUDE.mdAGENTS.md.cursorrules.clinerules.github/copilot-instructions.md.claude/settings.json.codex/config.toml~/.kit/audit-anchor.key~/.kit/audit-anchor.json~/.kit/last-update-check.json~/.kit/sync.toml
Network endpoints2
registry.npmjs.org/sandstream-kit/latestlocalhost:3199

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hook; prepublishOnly is publish-time build only.
    • dist/cli.js only runs main() when invoked as CLI, not on import.
    • dist/agent-config.js writes managed kit guidance/allow rules during user-invoked setup/agent-config; install-gate is opt-in via --install-gate.
    • dist/plugin-loader.js validates npm package names and imports only from project node_modules.
    • dist/plugins.js npm install is a user-invoked plugin install path using fixed argv via execFile wrapper.
    • dist/memory/remote-sync.js sync is opt-in from ~/.kit/sync.toml, encrypts payloads, and rejects git option/ext/fd remote helpers.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 227 file(s), 1.69 MB of source, external domains: 127.0.0.1, api.berget.ai, api.bitbucket.org, api.cloudflare.com, api.eu.tinybird.co, api.github.com, api.neon.tech, api.planetscale.com, api.resend.com, api.search.brave.com, api.stripe.com, api.supabase.com, api.tinybird.co, api.trigger.dev, api.upstash.com, api.vercel.com, app.flagsmith.com, app.inngest.com, app.loops.so, app.planetscale.com, app.posthog.com, app.tinybird.co, berget.ai, brew.sh, cloud.google.com, cloud.trigger.dev, console.anthropic.com, console.aws.amazon.com, console.cloud.google.com, console.neon.tech, console.upstash.com, cwe.mitre.org, dash.cloudflare.com, dashboard.clerk.com, dashboard.stripe.com, developer.1password.com, docs.aws.amazon.com, docs.github.com, docs.microsoft.com, docs.railway.app, docs.sentry.io, docs.stripe.com, edge.api.flagsmith.com, eu.i.posthog.com, example.com, expo.dev, github.com, grunden.ai, json.schemastore.org, liveblocks.io

    Source & flagged code

    9 flagged · loading source
    dist/post-pull-audit.jsView file
    24try { L25: const { stdout } = await exec("git", ["show", `${ref}:${path}`], { L26: cwd,
    High
    Child Process

    Package source references child process execution.

    dist/post-pull-audit.jsView on unpkg · L24
    dist/memory/remote-sync.jsView file
    87* `--upload-pack=<cmd>` turns `git clone` into arbitrary command execution; L88: * - `ext::`/`fd::` remote helpers run a command by design (`git clone ext::sh -c …`). L89: * Config is operator-owned (~/.kit/sync.toml, never the repo tree), so this is
    High
    Shell

    Package source references shell execution.

    dist/memory/remote-sync.jsView on unpkg · L87
    dist/triage-sandbox.jsView file
    75[/curl|wget|https?:\/\//i, "network call in install script"], L76: [/eval\s*\(/, "eval() in install script"], L77: [/Buffer\.from\([^,)]+,\s*['"]base64/, "base64 blob in install script"],
    Low
    Eval

    Package source references a known benign dynamic code generation pattern.

    dist/triage-sandbox.jsView on unpkg · L75
    dist/plugin-loader.jsView file
    75async function loadSinglePlugin(pluginName, projectPath) { L76: // Reject path-traversal / non-package names before they reach import() (RCE guard) L77: if (!isValidPluginName(pluginName)) {
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/plugin-loader.jsView on unpkg · L75
    dist/elevation.jsView file
    29/** L30: * Loud one-time stderr warning for the CI escape hatch. Emitted once per L31: * process so a single `kit secrets rotate ... ` invocation doesn't spam, ... L52: operation: "elevation-check", L53: environment: process.env.KIT_ENV ?? process.env.NODE_ENV ?? "unknown", L54: success: granted, L55: metadata: { L56: requested_scope: operation, ... L72: function elevationKeyPath() { L73: return `${_homedir()}/${ELEVATION_KEY_REL}`; L74: } ... L81: if (hex.length >= 64)
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/elevation.jsView on unpkg · L29
    dist/cli.jsView file
    18import { isNonInteractive } from "./environment.js"; L19: import { spawn as spawnChild } from "node:child_process"; L20: import { promptSelect } from "./utils/promptSelect.js"; ... L102: export { escapeWorkflowCmd, xmlEscape }; L103: const __dirname = dirname(fileURLToPath(import.meta.url)); L104: const KIT_VERSION = JSON.parse(readFileSync(join(__dirname, "..", "package.json"), "utf-8")).version; L105: /** Map a security finding to a short, actionable PAL title/detail. */ ... L111: const { runHeal } = await import("./heal.js"); L112: // Progress goes to stderr: live feedback for a human watching, without L113: // polluting the machine-readable proposals on stdout (--agent). ... L169: async function maybeEmitCheckAttestation(command, overallOk, summary, scannersRan, quiet) { L170: if (!hasFlag(process.argv, "--attest") && !envTruthy(process.env.KIT_ATTEST))
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    dist/cli.jsView on unpkg · L18
    dist/plugins.jsView file
    223const cmd = metadata.install; L224: // Extract the actual npm install command L225: const match = cmd.match(/npm install (.+)/); L226: const pkgToInstall = match ? match[1] : packageName; L227: const { stderr } = await exec("npm", ["install", pkgToInstall], { L228: timeout: 60000,
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/plugins.jsView on unpkg · L223
    skills/triage/scripts/triage.pyView file
    path = skills/triage/scripts/triage.py kind = build_helper sizeBytes = 13048 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    skills/triage/scripts/triage.pyView on unpkg
    dist/audit-anchor.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = sandstream-kit@3.0.0 matchedIdentity = npm:c2FuZHN0cmVhbS1raXQ:3.0.0 similarity = 0.942 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    dist/audit-anchor.jsView on unpkg

    Findings

    1 Critical3 High6 Medium7 Low
    CriticalPrevious Version Dangerous Deltadist/audit-anchor.js
    HighChild Processdist/post-pull-audit.js
    HighShelldist/memory/remote-sync.js
    HighRuntime Package Installdist/plugins.js
    MediumDynamic Requiredist/plugin-loader.js
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencedist/cli.js
    MediumShips Build Helperskills/triage/scripts/triage.py
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowEvaldist/triage-sandbox.js
    LowWeak Cryptodist/elevation.js
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings