registry  /  sloth-d2c-node  /  0.0.1-beta127

sloth-d2c-node@0.0.1-beta127

转码能力的node服务,需在apps/figma中执行pnpm dev:lib:node,然后再pnpm dev启动调试,

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a NestJS design-to-code/Figma conversion service with user-invoked Figma API access and image downloading.

Static reason
One or more suspicious static signals were detected.
Trigger
Running the server or invoking exported conversion functions/endpoints
Impact
Caller-provided Figma token may be logged locally; generated HTML may be written to mcp.html when /d2c/convert is called
Mechanism
Figma data retrieval and design-to-code conversion
Rationale
Static inspection found suspicious primitives, but they are package-aligned for a Figma/D2C service and activated by explicit runtime/API use rather than install/import. The crypto dependency squat and local token logging are quality/security issues, not concrete malware behavior in this package source.
Evidence
package.jsonREADME.mddist/main.jsdist/utils/d2c-convert.jsdist/utils/figma.jsdist/utils/index.jsdist/modules/d2c/d2c.controller.jsdist/modules/d2c/d2c.service.jsmcp.html
Network endpoints2
api.figma.com/v1/files/${fileKey}/nodes?ids=${nodeId}&geometry=pathsapi.figma.com/v1/images/${fileKey}

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json declares dependency "crypto" matching a Node built-in name
  • dist/modules/d2c/d2c.controller.js writes generated HTML to mcp.html during /d2c/convert requests
  • dist/utils/figma.js logs figmaToken in getFigmaData, exposing caller token to local logs
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks
  • Exported entry ./convert maps to dist/utils/d2c-convert.js and does not execute conversion on import
  • Network calls are Figma API/image downloads aligned with D2C conversion functionality
  • No child_process, shell execution, eval/vm/Function, persistence, or destructive filesystem behavior found
  • Environment reads in dist/main.js are limited to NODE_ENV, NODE_PORT, and dotenv config selection
  • README describes a Node service for design-to-code conversion
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
Manifest
NoLicense
scanned 11 file(s), 50.7 KB of source, external domains: api.figma.com

Source & flagged code

1 flagged · loading source
package.jsonView file
Runtime dependency names matching Node built-ins: crypto
High
Node Builtin Dependency Squat

Package declares a runtime dependency whose name matches a Node built-in module.

package.jsonView on unpkg

Findings

1 High2 Medium4 Low
HighNode Builtin Dependency Squatpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowNo License