AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package intentionally stages configured mod content and calls a user-configured SteamCMD executable only during semantic-release publishing.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
A configured semantic-release `publish` invocation on a mapped branch.
Impact
Publishes configured content to an existing Steam Workshop item; no unconsented side effect occurs on installation or import.
Mechanism
Stage mod files, generate a Steam Workshop VDF, and invoke SteamCMD.
Rationale
Source inspection shows a package-aligned semantic-release plugin for publishing user-configured Steam Workshop content. Static hints overstate benign zero-width/BOM handling and intended SteamCMD subprocess use; no concrete malicious chain is present.
Evidence
package.jsonindex.mjslib/config.mjslib/stage-content.mjslib/steamcmd.mjslib/readme.mjslib/description.mjslib/vdf.mjs
Decision evidence
public snapshotAI called this Clean at 99.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- `package.json` has no preinstall/install/postinstall hooks.
- `index.mjs` only acts through semantic-release `publish`; import defines plugin functions.
- `lib/steamcmd.mjs` invokes configured SteamCMD with fixed argument structure to upload a Workshop VDF.
- `lib/config.mjs` uses Steam environment values only for publish configuration and a temporary config file.
- `lib/readme.mjs` contains U+200B/U+FEFF formatting characters, not bidi control characters.
- No exfiltration, remote payload retrieval, persistence, destructive action, or AI-agent control-surface writes found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemShell
HighEntropyStrings
Source & flagged code
2 flagged · loading sourcelib/readme.mjsView file
100contains invisible/control Unicode U+FEFF (zero width no-break space)
const stripBom = /^<U+FEFF>/;
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
lib/readme.mjsView on unpkg · L100•Trigger-reachable chain: manifest.main -> index.mjs -> lib/readme.mjs
Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
lib/readme.mjsView on unpkgFindings
2 Critical2 Medium3 Low
CriticalTrojan Source Unicodelib/readme.mjs
CriticalTrigger Reachable Dangerous Capabilitylib/readme.mjs
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings