registry  /  sandstream-kit  /  4.0.0

sandstream-kit@4.0.0

developer kit. zero LLM, local-first, multi-vault. one command from git clone to working dev environment.

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a developer security/setup CLI with user-invoked command execution, plugin installation, service checks, and optional agent configuration.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs kit CLI/MCP commands such as setup, agent-config, pkg, plugin install, or kit_run.
Impact
User-authorized local project changes, package installs, service checks, or command execution; no hidden install-time behavior confirmed.
Mechanism
explicit developer-tool automation with validation and read-only gates
Rationale
Static inspection shows risky primitives are part of an explicit local developer kit and are activated by user commands, not install/import-time stealth behavior. Network and filesystem writes are package-aligned with setup, security scanning, update checks, service integrations, or opt-in agent gates.
Evidence
package.jsondist/cli.jsdist/agent-config.jsdist/install-gate.jsdist/mcp-server.jsdist/plugin-loader.jsdist/plugins.jsdist/update-check.jsdist/memory/remote-sync.jsAGENTS.mdCLAUDE.md.cursorrules.clinerules.github/copilot-instructions.md.claude/settings.json.codex/config.toml.cursor/hooks.json.opencode/plugin/kit-install-gate.js.clinerules/hooks/PreToolUse.kit.toml.env.local
Network endpoints5
registry.npmjs.org/sandstream-kit/latestlocalhost:3199api.search.brave.com/res/v1/web/searchwww.googleapis.com/customsearch/v1api.stripe.com/v1/balance

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/mcp-server.js exposes kit_run/kit_install tools that can execute user-requested commands or installs.
  • dist/agent-config.js can write agent rules/hooks under AGENTS.md, .claude, .codex, .cursor, .opencode, .clinerules when invoked.
  • dist/update-check.js performs an npm registry update check on CLI runs unless suppressed.
Evidence against
  • package.json has no install/preinstall/postinstall hook; only prepublishOnly build script.
  • dist/plugin-loader.js validates npm package names and confines dynamic imports to project node_modules.
  • dist/plugins.js npm install path is explicit plugin installation, not lifecycle/import-time execution.
  • dist/agent-config.js install gates are opt-in/user-invoked and block untriaged installs rather than hijack agents.
  • dist/memory/remote-sync.js uses local ~/.kit/sync.toml, encrypted blobs, git argv guards, and rejects project-origin sync.
  • No credential harvesting or exfiltration endpoint found; service API calls are package-aligned and user-configured.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 228 file(s), 1.71 MB of source, external domains: 127.0.0.1, api.berget.ai, api.bitbucket.org, api.cloudflare.com, api.eu.tinybird.co, api.github.com, api.neon.tech, api.planetscale.com, api.resend.com, api.search.brave.com, api.stripe.com, api.supabase.com, api.tinybird.co, api.trigger.dev, api.upstash.com, api.vercel.com, app.flagsmith.com, app.inngest.com, app.loops.so, app.planetscale.com, app.posthog.com, app.tinybird.co, berget.ai, brew.sh, cloud.google.com, cloud.trigger.dev, console.anthropic.com, console.aws.amazon.com, console.cloud.google.com, console.neon.tech, console.upstash.com, cwe.mitre.org, dash.cloudflare.com, dashboard.clerk.com, dashboard.stripe.com, developer.1password.com, docs.aws.amazon.com, docs.github.com, docs.microsoft.com, docs.railway.app, docs.sentry.io, docs.stripe.com, edge.api.flagsmith.com, eu.i.posthog.com, example.com, expo.dev, github.com, grunden.ai, json.schemastore.org, liveblocks.io

Source & flagged code

9 flagged · loading source
dist/post-pull-audit.jsView file
24try { L25: const { stdout } = await exec("git", ["show", `${ref}:${path}`], { L26: cwd,
High
Child Process

Package source references child process execution.

dist/post-pull-audit.jsView on unpkg · L24
dist/memory/remote-sync.jsView file
87* `--upload-pack=<cmd>` turns `git clone` into arbitrary command execution; L88: * - `ext::`/`fd::` remote helpers run a command by design (`git clone ext::sh -c …`). L89: * Config is operator-owned (~/.kit/sync.toml, never the repo tree), so this is
High
Shell

Package source references shell execution.

dist/memory/remote-sync.jsView on unpkg · L87
dist/triage-sandbox.jsView file
75[/curl|wget|https?:\/\//i, "network call in install script"], L76: [/eval\s*\(/, "eval() in install script"], L77: [/Buffer\.from\([^,)]+,\s*['"]base64/, "base64 blob in install script"],
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/triage-sandbox.jsView on unpkg · L75
dist/plugin-loader.jsView file
75async function loadSinglePlugin(pluginName, projectPath) { L76: // Reject path-traversal / non-package names before they reach import() (RCE guard) L77: if (!isValidPluginName(pluginName)) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugin-loader.jsView on unpkg · L75
dist/elevation.jsView file
29/** L30: * Loud one-time stderr warning for the CI escape hatch. Emitted once per L31: * process so a single `kit secrets rotate ... ` invocation doesn't spam, ... L52: operation: "elevation-check", L53: environment: process.env.KIT_ENV ?? process.env.NODE_ENV ?? "unknown", L54: success: granted, L55: metadata: { L56: requested_scope: operation, ... L72: function elevationKeyPath() { L73: return `${_homedir()}/${ELEVATION_KEY_REL}`; L74: } ... L81: if (hex.length >= 64)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/elevation.jsView on unpkg · L29
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sandstream-kit@3.3.0 matchedIdentity = npm:c2FuZHN0cmVhbS1raXQ:3.3.0 similarity = 0.975 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli.jsView on unpkg
18import { isNonInteractive } from "./environment.js"; L19: import { spawn as spawnChild } from "node:child_process"; L20: import { promptSelect } from "./utils/promptSelect.js"; ... L102: export { escapeWorkflowCmd, xmlEscape }; L103: const __dirname = dirname(fileURLToPath(import.meta.url)); L104: const KIT_VERSION = JSON.parse(readFileSync(join(__dirname, "..", "package.json"), "utf-8")).version; L105: /** Map a security finding to a short, actionable PAL title/detail. */ ... L111: const { runHeal } = await import("./heal.js"); L112: // Progress goes to stderr: live feedback for a human watching, without L113: // polluting the machine-readable proposals on stdout (--agent). ... L169: async function maybeEmitCheckAttestation(command, overallOk, summary, scannersRan, quiet) { L170: if (!hasFlag(process.argv, "--attest") && !envTruthy(process.env.KIT_ATTEST))
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L18
dist/plugins.jsView file
223const cmd = metadata.install; L224: // Extract the actual npm install command L225: const match = cmd.match(/npm install (.+)/); L226: const pkgToInstall = match ? match[1] : packageName; L227: const { stderr } = await exec("npm", ["install", pkgToInstall], { L228: timeout: 60000,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/plugins.jsView on unpkg · L223
skills/triage/scripts/triage.pyView file
path = skills/triage/scripts/triage.py kind = build_helper sizeBytes = 13048 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/triage/scripts/triage.pyView on unpkg

Findings

1 Critical3 High6 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/post-pull-audit.js
HighShelldist/memory/remote-sync.js
HighRuntime Package Installdist/plugins.js
MediumDynamic Requiredist/plugin-loader.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumShips Build Helperskills/triage/scripts/triage.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/triage-sandbox.js
LowWeak Cryptodist/elevation.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings