registry  /  sandstream-kit  /  3.3.0

sandstream-kit@3.3.0

developer kit. zero LLM, local-first, multi-vault. one command from git clone to working dev environment.

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Sensitive operations are CLI features for developer setup, security scanning, plugin management, and opt-in memory sync rather than install-time or import-time behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit user CLI commands such as kit setup, kit memory install, plugin install, scan, or memory sync
Impact
No unconsented execution or exfiltration confirmed by static inspection
Mechanism
User-invoked developer automation with guarded file writes, subprocesses, and package-aligned network APIs
Rationale
Static hints map to a security/developer CLI that intentionally runs scanners, installs explicit plugins, and wires agent helpers only on user-invoked commands. There is no consumer install hook, import-time payload, hardcoded exfiltration endpoint, or unconsented AI-agent control-surface mutation in the inspected source.
Evidence
package.jsondist/cli.jsdist/check-security.jsdist/plugins.jsdist/plugin-loader.jsdist/memory/install.jsdist/memory/remote-sync.jsdist/agent-config.jsdist/post-pull-audit.jsdist/triage-sandbox.js

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/memory/install.js can write Claude Code hooks/statusLine to ~/.claude/settings.json when user runs memory install.
  • dist/agent-config.js can write managed kit instructions and read-only allow rules to agent config files during setup/agent-config.
  • dist/memory/remote-sync.js supports opt-in encrypted memory sync to user-configured git/command transport from ~/.kit/sync.toml.
Evidence against
  • package.json has no consumer install/postinstall hooks; only prepublishOnly build hook.
  • dist/plugin-loader.js validates npm plugin names and restricts dynamic imports to project node_modules.
  • dist/plugins.js installs plugins only through explicit installPlugin runtime action using npm argv, not lifecycle execution.
  • dist/memory/remote-sync.js documents opt-in local config, encrypts memory blobs, blocks project-origin sync, and strips KIT secrets for command transport.
  • dist/agent-config.js says install-gate and permissions are opt-in/idempotent and does not set bypass/deny rules.
  • No hardcoded exfiltration endpoint or automatic credential/env harvesting path was found in inspected hot files.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 228 file(s), 1.70 MB of source, external domains: 127.0.0.1, api.berget.ai, api.bitbucket.org, api.cloudflare.com, api.eu.tinybird.co, api.github.com, api.neon.tech, api.planetscale.com, api.resend.com, api.search.brave.com, api.stripe.com, api.supabase.com, api.tinybird.co, api.trigger.dev, api.upstash.com, api.vercel.com, app.flagsmith.com, app.inngest.com, app.loops.so, app.planetscale.com, app.posthog.com, app.tinybird.co, berget.ai, brew.sh, cloud.google.com, cloud.trigger.dev, console.anthropic.com, console.aws.amazon.com, console.cloud.google.com, console.neon.tech, console.upstash.com, cwe.mitre.org, dash.cloudflare.com, dashboard.clerk.com, dashboard.stripe.com, developer.1password.com, docs.aws.amazon.com, docs.github.com, docs.microsoft.com, docs.railway.app, docs.sentry.io, docs.stripe.com, edge.api.flagsmith.com, eu.i.posthog.com, example.com, expo.dev, github.com, grunden.ai, json.schemastore.org, liveblocks.io

Source & flagged code

9 flagged · loading source
dist/post-pull-audit.jsView file
24try { L25: const { stdout } = await exec("git", ["show", `${ref}:${path}`], { L26: cwd,
High
Child Process

Package source references child process execution.

dist/post-pull-audit.jsView on unpkg · L24
dist/memory/remote-sync.jsView file
87* `--upload-pack=<cmd>` turns `git clone` into arbitrary command execution; L88: * - `ext::`/`fd::` remote helpers run a command by design (`git clone ext::sh -c …`). L89: * Config is operator-owned (~/.kit/sync.toml, never the repo tree), so this is
High
Shell

Package source references shell execution.

dist/memory/remote-sync.jsView on unpkg · L87
dist/triage-sandbox.jsView file
75[/curl|wget|https?:\/\//i, "network call in install script"], L76: [/eval\s*\(/, "eval() in install script"], L77: [/Buffer\.from\([^,)]+,\s*['"]base64/, "base64 blob in install script"],
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/triage-sandbox.jsView on unpkg · L75
dist/plugin-loader.jsView file
75async function loadSinglePlugin(pluginName, projectPath) { L76: // Reject path-traversal / non-package names before they reach import() (RCE guard) L77: if (!isValidPluginName(pluginName)) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugin-loader.jsView on unpkg · L75
dist/elevation.jsView file
29/** L30: * Loud one-time stderr warning for the CI escape hatch. Emitted once per L31: * process so a single `kit secrets rotate ... ` invocation doesn't spam, ... L52: operation: "elevation-check", L53: environment: process.env.KIT_ENV ?? process.env.NODE_ENV ?? "unknown", L54: success: granted, L55: metadata: { L56: requested_scope: operation, ... L72: function elevationKeyPath() { L73: return `${_homedir()}/${ELEVATION_KEY_REL}`; L74: } ... L81: if (hex.length >= 64)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/elevation.jsView on unpkg · L29
dist/cli.jsView file
18import { isNonInteractive } from "./environment.js"; L19: import { spawn as spawnChild } from "node:child_process"; L20: import { promptSelect } from "./utils/promptSelect.js"; ... L102: export { escapeWorkflowCmd, xmlEscape }; L103: const __dirname = dirname(fileURLToPath(import.meta.url)); L104: const KIT_VERSION = JSON.parse(readFileSync(join(__dirname, "..", "package.json"), "utf-8")).version; L105: /** Map a security finding to a short, actionable PAL title/detail. */ ... L111: const { runHeal } = await import("./heal.js"); L112: // Progress goes to stderr: live feedback for a human watching, without L113: // polluting the machine-readable proposals on stdout (--agent). ... L169: async function maybeEmitCheckAttestation(command, overallOk, summary, scannersRan, quiet) { L170: if (!hasFlag(process.argv, "--attest") && !envTruthy(process.env.KIT_ATTEST))
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L18
dist/plugins.jsView file
223const cmd = metadata.install; L224: // Extract the actual npm install command L225: const match = cmd.match(/npm install (.+)/); L226: const pkgToInstall = match ? match[1] : packageName; L227: const { stderr } = await exec("npm", ["install", pkgToInstall], { L228: timeout: 60000,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/plugins.jsView on unpkg · L223
skills/triage/scripts/triage.pyView file
path = skills/triage/scripts/triage.py kind = build_helper sizeBytes = 13048 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/triage/scripts/triage.pyView on unpkg
dist/check-security.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sandstream-kit@3.2.0 matchedIdentity = npm:c2FuZHN0cmVhbS1raXQ:3.2.0 similarity = 0.925 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/check-security.jsView on unpkg

Findings

1 Critical3 High6 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/check-security.js
HighChild Processdist/post-pull-audit.js
HighShelldist/memory/remote-sync.js
HighRuntime Package Installdist/plugins.js
MediumDynamic Requiredist/plugin-loader.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumShips Build Helperskills/triage/scripts/triage.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/triage-sandbox.js
LowWeak Cryptodist/elevation.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings