registry  /  sandstream-kit  /  5.0.0

sandstream-kit@5.0.0

developer kit. zero LLM, local-first, multi-vault. one command from git clone to working dev environment.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The explicit `kit agent-config` command modifies project AI-agent instruction/config files and can install blocking hooks. Explicit plugin installation can invoke npm for a selected package; package installation itself has no consumer lifecycle execution.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `kit agent-config`, `kit memory install`, or a plugin-install command.
Impact
Can alter agent behavior and permissions in the current project or Claude user settings, creating a meaningful extension lifecycle risk if run without informed review.
Mechanism
User-invoked AI-agent configuration and hook installation; user-requested npm plugin installation.
Rationale
No concrete malicious chain was found after source inspection, and no consumer install hook executes. The package nevertheless exposes explicit user-command AI-agent configuration and hook setup across project/user control surfaces, so it warrants a warning rather than a block.
Evidence
package.jsondist/cli.jsdist/commands/agent.jsdist/agent-config.jsdist/memory/install.jsdist/plugins.jsdist/triage-sandbox.jsdist/update-check.jsCLAUDE.mdAGENTS.md.cursorrules.clinerules.github/copilot-instructions.md.claude/settings.json~/.claude/settings.json
Network endpoints1
registry.npmjs.org/sandstream-kit/latest

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/commands/agent.js` makes `kit agent-config` write agent rules, permissions, and install gates.
  • `dist/agent-config.js` targets `CLAUDE.md`, `AGENTS.md`, `.claude/settings.json`, and other agent configuration files.
  • `dist/memory/install.js` installs Claude Code hooks in `~/.claude/settings.json` when explicitly invoked.
  • `dist/plugins.js` can run `npm install` for a requested plugin at runtime.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook executes for consumers.
  • `dist/cli.js` dispatches mutating behavior only after a `kit` subcommand is invoked.
  • `dist/commands/agent.js` documents `agent-config` as the explicit trigger and supports opt-out of install gates.
  • `dist/triage-sandbox.js` uses `npm pack --ignore-scripts` for package inspection.
  • No inspected source showed credential exfiltration, hidden payload retrieval, or unsolicited destructive behavior.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 317 file(s), 2.36 MB of source, external domains: 127.0.0.1, api.berget.ai, api.bitbucket.org, api.cloudflare.com, api.eu.tinybird.co, api.github.com, api.neon.tech, api.planetscale.com, api.resend.com, api.search.brave.com, api.stripe.com, api.supabase.com, api.tinybird.co, api.trigger.dev, api.upstash.com, api.vercel.com, app.flagsmith.com, app.inngest.com, app.loops.so, app.planetscale.com, app.posthog.com, app.tinybird.co, berget.ai, brew.sh, cloud.google.com, cloud.trigger.dev, cloudidentity.googleapis.com, console.anthropic.com, console.aws.amazon.com, console.cloud.google.com, console.neon.tech, console.upstash.com, csrc.nist.gov, cwe.mitre.org, dash.cloudflare.com, dashboard.clerk.com, dashboard.stripe.com, developer.1password.com, docs.aws.amazon.com, docs.github.com, docs.microsoft.com, docs.railway.app, docs.sentry.io, docs.stripe.com, edge.api.flagsmith.com, eu.i.posthog.com, example.com, expo.dev, genai.owasp.org, github.com

Source & flagged code

9 flagged · loading source
dist/post-pull-audit.jsView file
24try { L25: const { stdout } = await exec("git", ["show", `${ref}:${path}`], { L26: cwd,
High
Child Process

Package source references child process execution.

dist/post-pull-audit.jsView on unpkg · L24
dist/memory/remote-sync.jsView file
89* `--upload-pack=<cmd>` turns `git clone` into arbitrary command execution; L90: * - `ext::`/`fd::` remote helpers run a command by design (`git clone ext::sh -c …`). L91: * Config is operator-owned (~/.kit/sync.toml, never the repo tree), so this is
High
Shell

Package source references shell execution.

dist/memory/remote-sync.jsView on unpkg · L89
dist/triage-sandbox.jsView file
75[/curl|wget|https?:\/\//i, "network call in install script"], L76: [/eval\s*\(/, "eval() in install script"], L77: [/Buffer\.from\([^,)]+,\s*['"]base64/, "base64 blob in install script"],
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/triage-sandbox.jsView on unpkg · L75
dist/plugin-loader.jsView file
75async function loadSinglePlugin(pluginName, projectPath) { L76: // Reject path-traversal / non-package names before they reach import() (RCE guard) L77: if (!isValidPluginName(pluginName)) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugin-loader.jsView on unpkg · L75
dist/elevation.jsView file
29/** L30: * Loud one-time stderr warning for the CI escape hatch. Emitted once per L31: * process so a single `kit secrets rotate ... ` invocation doesn't spam, ... L52: operation: "elevation-check", L53: environment: process.env.KIT_ENV ?? process.env.NODE_ENV ?? "unknown", L54: success: granted, L55: metadata: { L56: requested_scope: operation, ... L72: function elevationKeyPath() { L73: return `${_homedir()}/${ELEVATION_KEY_REL}`; L74: } ... L81: if (hex.length >= 64)
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/elevation.jsView on unpkg · L29
dist/update-check.jsView file
6import { isAirGap } from "./scanners.js"; L7: const __dirname = dirname(fileURLToPath(import.meta.url)); L8: const PACKAGE_NAME = "sandstream-kit"; ... L46: if (noticeSuppressed || L47: process.env.KIT_NO_UPDATE_CHECK === "1" || L48: process.env.CI === "true" || L49: process.env.GITHUB_ACTIONS === "true" || ... L57: const raw = await readFile(CACHE_FILE, "utf8"); L58: cache = JSON.parse(raw); L59: } ... L72: // Fetch latest from npm registry L73: const resp = await fetch(`https://registry.npmjs.org/${PACKAGE_NAME}/latest`, {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/update-check.jsView on unpkg · L6
dist/plugins.jsView file
223const cmd = metadata.install; L224: // Extract the actual npm install command L225: const match = cmd.match(/npm install (.+)/); L226: const pkgToInstall = match ? match[1] : packageName; L227: const { stderr } = await exec("npm", ["install", pkgToInstall], { L228: timeout: 60000,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/plugins.jsView on unpkg · L223
skills/triage/scripts/triage.pyView file
path = skills/triage/scripts/triage.py kind = build_helper sizeBytes = 23005 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/triage/scripts/triage.pyView on unpkg
dist/check-security.jsView file
matchType = previous_version_dangerous_delta matchedPackage = sandstream-kit@4.0.0 matchedIdentity = npm:c2FuZHN0cmVhbS1raXQ:4.0.0 similarity = 0.550 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/check-security.jsView on unpkg

Findings

1 Critical4 High5 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/check-security.js
HighChild Processdist/post-pull-audit.js
HighShelldist/memory/remote-sync.js
HighSandbox Evasion Gated Capabilitydist/update-check.js
HighRuntime Package Installdist/plugins.js
MediumDynamic Requiredist/plugin-loader.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperskills/triage/scripts/triage.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/triage-sandbox.js
LowWeak Cryptodist/elevation.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings