AI Security Review
scanned 25m ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package performs explicit semantic-release publishing: stages a configured mod and calls SteamCMD with Steam credentials supplied by the caller.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
A semantic-release publish run on a configured branch with Steam environment variables and mod configuration.
Impact
Intended Steam Workshop publication only; no unconsented install-time activity or exfiltration is established.
Mechanism
Writes temporary/staging files and executes configured SteamCMD and rsync binaries with fixed argument arrays.
Rationale
Static inspection shows a package-aligned Steam Workshop publishing plugin with no lifecycle execution or concrete malicious chain. Scanner claims about Trojan Source are explained by a deliberately named zero-width Markdown separator in `lib/readme.mjs`.
Evidence
package.jsonindex.mjslib/config.mjslib/steamcmd.mjslib/stage-content.mjslib/readme.mjslib/description.mjslib/vdf.mjsschema/plugin-config.json
Decision evidence
public snapshotAI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
- `lib/steamcmd.mjs` invokes a user-configured SteamCMD binary during publish.
- `lib/stage-content.mjs` invokes `rsync` to stage configured mod content.
Evidence against
- `package.json` has no preinstall, install, or postinstall hooks.
- `index.mjs` only exposes semantic-release verify/publish functions; no import-time action.
- `lib/config.mjs` uses Steam env values only to validate config or write a temporary `config.vdf`.
- `lib/steamcmd.mjs` passes Steam config to SteamCMD; no unrelated endpoint or exfiltration code.
- `lib/readme.mjs` zero-width character is an explicit Markdown separator, not concealed control flow.
- No eval, dynamic loading, shell interpolation, persistence, or AI-agent configuration writes found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcelib/readme.mjsView file
100contains invisible/control Unicode U+FEFF (zero width no-break space)
const stripBom = /^<U+FEFF>/;
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
lib/readme.mjsView on unpkg · L100•Trigger-reachable chain: manifest.main -> index.mjs -> lib/readme.mjs
Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
lib/readme.mjsView on unpkgFindings
2 Critical2 Medium3 Low
CriticalTrojan Source Unicodelib/readme.mjs
CriticalTrigger Reachable Dangerous Capabilitylib/readme.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings