registry  /  semantic-release-steam  /  2.1.1

semantic-release-steam@2.1.1

semantic-release plugin that publishes a Steam Workshop item from a built mod directory.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package intentionally stages configured mod content and calls a user-configured SteamCMD executable only during semantic-release publishing.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
A configured semantic-release `publish` invocation on a mapped branch.
Impact
Publishes configured content to an existing Steam Workshop item; no unconsented side effect occurs on installation or import.
Mechanism
Stage mod files, generate a Steam Workshop VDF, and invoke SteamCMD.
Rationale
Source inspection shows a package-aligned semantic-release plugin for publishing user-configured Steam Workshop content. Static hints overstate benign zero-width/BOM handling and intended SteamCMD subprocess use; no concrete malicious chain is present.
Evidence
package.jsonindex.mjslib/config.mjslib/stage-content.mjslib/steamcmd.mjslib/readme.mjslib/description.mjslib/vdf.mjs

Decision evidence

public snapshot
AI called this Clean at 99.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has no preinstall/install/postinstall hooks.
    • `index.mjs` only acts through semantic-release `publish`; import defines plugin functions.
    • `lib/steamcmd.mjs` invokes configured SteamCMD with fixed argument structure to upload a Workshop VDF.
    • `lib/config.mjs` uses Steam environment values only for publish configuration and a temporary config file.
    • `lib/readme.mjs` contains U+200B/U+FEFF formatting characters, not bidi control characters.
    • No exfiltration, remote payload retrieval, persistence, destructive action, or AI-agent control-surface writes found.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemShell
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 7 file(s), 17.7 KB of source

    Source & flagged code

    2 flagged · loading source
    lib/readme.mjsView file
    100contains invisible/control Unicode U+FEFF (zero width no-break space) const stripBom = /^<U+FEFF>/;
    Critical
    Trojan Source Unicode

    Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

    lib/readme.mjsView on unpkg · L100
    Trigger-reachable chain: manifest.main -> index.mjs -> lib/readme.mjs Reachable file contains a blocking source-risk pattern.
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    lib/readme.mjsView on unpkg

    Findings

    2 Critical2 Medium3 Low
    CriticalTrojan Source Unicodelib/readme.mjs
    CriticalTrigger Reachable Dangerous Capabilitylib/readme.mjs
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings