registry  /  sandstream-kit  /  3.2.0

sandstream-kit@3.2.0

developer kit. zero LLM, local-first, multi-vault. one command from git clone to working dev environment.

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Risky primitives are aligned with a developer setup/security CLI and are activated by explicit kit commands rather than install/import.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
user runs kit CLI subcommands such as setup, agent-config, plugin install, memory sync, or update check
Impact
No evidence of credential exfiltration, persistence, destructive behavior, or unconsented AI-agent control hijack.
Mechanism
explicit developer tooling operations with validation/opt-in guards
Rationale
Static inspection found numerous powerful CLI features, but they are package-aligned, user-invoked, and include meaningful guards; there is no install-time/import-time payload or covert exfiltration path. The scanner's dangerous labels appear to be noisy for this developer security toolkit.
Evidence
package.jsondist/cli.jsdist/agent-config.jsdist/plugin-loader.jsdist/plugins.jsdist/memory/db.jsdist/memory/remote-sync.jsdist/post-pull-audit.jsdist/triage-sandbox.jsdist/update-check.jsCLAUDE.mdAGENTS.md.cursorrules.clinerules.github/copilot-instructions.md.claude/settings.json.codex/config.toml.opencode/plugin/kit-install-gate.js.clinerules/hooks/PreToolUse~/.kit/memory.db~/.kit/sync.toml~/.kit/last-update-check.json
Network endpoints1
registry.npmjs.org/sandstream-kit/latest

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/update-check.js fetches https://registry.npmjs.org/sandstream-kit/latest during CLI update checks unless suppressed.
  • dist/agent-config.js can write agent rule/config files and hooks when setup/agent-config is invoked.
  • dist/memory/remote-sync.js supports git or operator command sync of encrypted memory blobs from ~/.kit/sync.toml.
Evidence against
  • package.json has no install/postinstall hook; only prepublishOnly build script.
  • dist/plugin-loader.js validates plugin names and confines dynamic imports to project node_modules.
  • dist/plugins.js npm install is an explicit plugin install helper using registry package metadata.
  • dist/memory/remote-sync.js keeps sync config under ~/.kit, blocks project-origin sync, encrypts blobs, and strips KIT secrets from command transport env.
  • dist/agent-config.js writes managed kit instructions/defensive install gates only on user-invoked setup/agent-config paths.
  • dist/post-pull-audit.js and dist/triage-sandbox.js use child processes for git/npm/tar inspection workflows, not covert execution.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 228 file(s), 1.69 MB of source, external domains: 127.0.0.1, api.berget.ai, api.bitbucket.org, api.cloudflare.com, api.eu.tinybird.co, api.github.com, api.neon.tech, api.planetscale.com, api.resend.com, api.search.brave.com, api.stripe.com, api.supabase.com, api.tinybird.co, api.trigger.dev, api.upstash.com, api.vercel.com, app.flagsmith.com, app.inngest.com, app.loops.so, app.planetscale.com, app.posthog.com, app.tinybird.co, berget.ai, brew.sh, cloud.google.com, cloud.trigger.dev, console.anthropic.com, console.aws.amazon.com, console.cloud.google.com, console.neon.tech, console.upstash.com, cwe.mitre.org, dash.cloudflare.com, dashboard.clerk.com, dashboard.stripe.com, developer.1password.com, docs.aws.amazon.com, docs.github.com, docs.microsoft.com, docs.railway.app, docs.sentry.io, docs.stripe.com, edge.api.flagsmith.com, eu.i.posthog.com, example.com, expo.dev, github.com, grunden.ai, json.schemastore.org, liveblocks.io

Source & flagged code

9 flagged · loading source
dist/post-pull-audit.jsView file
24try { L25: const { stdout } = await exec("git", ["show", `${ref}:${path}`], { L26: cwd,
High
Child Process

Package source references child process execution.

dist/post-pull-audit.jsView on unpkg · L24
dist/memory/remote-sync.jsView file
87* `--upload-pack=<cmd>` turns `git clone` into arbitrary command execution; L88: * - `ext::`/`fd::` remote helpers run a command by design (`git clone ext::sh -c …`). L89: * Config is operator-owned (~/.kit/sync.toml, never the repo tree), so this is
High
Shell

Package source references shell execution.

dist/memory/remote-sync.jsView on unpkg · L87
dist/triage-sandbox.jsView file
75[/curl|wget|https?:\/\//i, "network call in install script"], L76: [/eval\s*\(/, "eval() in install script"], L77: [/Buffer\.from\([^,)]+,\s*['"]base64/, "base64 blob in install script"],
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/triage-sandbox.jsView on unpkg · L75
dist/plugin-loader.jsView file
75async function loadSinglePlugin(pluginName, projectPath) { L76: // Reject path-traversal / non-package names before they reach import() (RCE guard) L77: if (!isValidPluginName(pluginName)) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugin-loader.jsView on unpkg · L75
dist/elevation.jsView file
29/** L30: * Loud one-time stderr warning for the CI escape hatch. Emitted once per L31: * process so a single `kit secrets rotate ... ` invocation doesn't spam, ... L52: operation: "elevation-check", L53: environment: process.env.KIT_ENV ?? process.env.NODE_ENV ?? "unknown", L54: success: granted, L55: metadata: { L56: requested_scope: operation, ... L72: function elevationKeyPath() { L73: return `${_homedir()}/${ELEVATION_KEY_REL}`; L74: } ... L81: if (hex.length >= 64)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/elevation.jsView on unpkg · L29
dist/cli.jsView file
18import { isNonInteractive } from "./environment.js"; L19: import { spawn as spawnChild } from "node:child_process"; L20: import { promptSelect } from "./utils/promptSelect.js"; ... L102: export { escapeWorkflowCmd, xmlEscape }; L103: const __dirname = dirname(fileURLToPath(import.meta.url)); L104: const KIT_VERSION = JSON.parse(readFileSync(join(__dirname, "..", "package.json"), "utf-8")).version; L105: /** Map a security finding to a short, actionable PAL title/detail. */ ... L111: const { runHeal } = await import("./heal.js"); L112: // Progress goes to stderr: live feedback for a human watching, without L113: // polluting the machine-readable proposals on stdout (--agent). ... L169: async function maybeEmitCheckAttestation(command, overallOk, summary, scannersRan, quiet) { L170: if (!hasFlag(process.argv, "--attest") && !envTruthy(process.env.KIT_ATTEST))
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L18
dist/plugins.jsView file
223const cmd = metadata.install; L224: // Extract the actual npm install command L225: const match = cmd.match(/npm install (.+)/); L226: const pkgToInstall = match ? match[1] : packageName; L227: const { stderr } = await exec("npm", ["install", pkgToInstall], { L228: timeout: 60000,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/plugins.jsView on unpkg · L223
skills/triage/scripts/triage.pyView file
path = skills/triage/scripts/triage.py kind = build_helper sizeBytes = 13048 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/triage/scripts/triage.pyView on unpkg
dist/memory/db.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sandstream-kit@3.1.0 matchedIdentity = npm:c2FuZHN0cmVhbS1raXQ:3.1.0 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/memory/db.jsView on unpkg

Findings

1 Critical3 High6 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/memory/db.js
HighChild Processdist/post-pull-audit.js
HighShelldist/memory/remote-sync.js
HighRuntime Package Installdist/plugins.js
MediumDynamic Requiredist/plugin-loader.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumShips Build Helperskills/triage/scripts/triage.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/triage-sandbox.js
LowWeak Cryptodist/elevation.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings