registry  /  semantic-release-steam  /  2.1.2

semantic-release-steam@2.1.2

semantic-release plugin that publishes a Steam Workshop item from a built mod directory.

AI Security Review

scanned 25m ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package performs explicit semantic-release publishing: stages a configured mod and calls SteamCMD with Steam credentials supplied by the caller.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
A semantic-release publish run on a configured branch with Steam environment variables and mod configuration.
Impact
Intended Steam Workshop publication only; no unconsented install-time activity or exfiltration is established.
Mechanism
Writes temporary/staging files and executes configured SteamCMD and rsync binaries with fixed argument arrays.
Rationale
Static inspection shows a package-aligned Steam Workshop publishing plugin with no lifecycle execution or concrete malicious chain. Scanner claims about Trojan Source are explained by a deliberately named zero-width Markdown separator in `lib/readme.mjs`.
Evidence
package.jsonindex.mjslib/config.mjslib/steamcmd.mjslib/stage-content.mjslib/readme.mjslib/description.mjslib/vdf.mjsschema/plugin-config.json

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `lib/steamcmd.mjs` invokes a user-configured SteamCMD binary during publish.
  • `lib/stage-content.mjs` invokes `rsync` to stage configured mod content.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hooks.
  • `index.mjs` only exposes semantic-release verify/publish functions; no import-time action.
  • `lib/config.mjs` uses Steam env values only to validate config or write a temporary `config.vdf`.
  • `lib/steamcmd.mjs` passes Steam config to SteamCMD; no unrelated endpoint or exfiltration code.
  • `lib/readme.mjs` zero-width character is an explicit Markdown separator, not concealed control flow.
  • No eval, dynamic loading, shell interpolation, persistence, or AI-agent configuration writes found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 17.9 KB of source

Source & flagged code

2 flagged · loading source
lib/readme.mjsView file
100contains invisible/control Unicode U+FEFF (zero width no-break space) const stripBom = /^<U+FEFF>/;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

lib/readme.mjsView on unpkg · L100
Trigger-reachable chain: manifest.main -> index.mjs -> lib/readme.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

lib/readme.mjsView on unpkg

Findings

2 Critical2 Medium3 Low
CriticalTrojan Source Unicodelib/readme.mjs
CriticalTrigger Reachable Dangerous Capabilitylib/readme.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings