registry  /  startx  /  1.1.33

startx@1.1.33

> Scaffold a production-ready TypeScript monorepo in minutes.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a monorepo scaffolding CLI plus app/library templates with user-invoked file writes and app-aligned network/database helpers.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs startx CLI commands or imports generated app libraries
Impact
Creates/updates project scaffold files and may call package-aligned APIs when app tools are used
Mechanism
scaffolding and application helper code
Rationale
Static inspection found risky primitives, but they are user-invoked scaffolding or package-aligned app/agent features, with no lifecycle execution, exfiltration, persistence, or foreign AI-agent control hijack. Scanner hints for Trojan Source and malicious trigger were not confirmed by source inspection.
Evidence
package.jsonapps/startx-cli/dist/index.mjsapps/startx-cli/src/index.tsapps/startx-cli/src/commands/init.tsapps/startx-cli/src/commands/package.tspackages/aix/src/lib/convertor/variable-resolver.tspackages/aix/src/tools/generic/database.tspackages/aix/src/tools/generic/forecast.tspackages/ui/src/api/use-api/react-query/use-api.ts
Network endpoints5
geocoding-api.open-meteo.com/v1/searchapi.open-meteo.com/v1/forecastapi.anthropic.com/v1api.groq.com/openai/v1api.cerebras.ai/v1/

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • apps/startx-cli/src/commands/package.ts can run package-manager install via spawn, but only after user-invoked CLI prompts/options
  • packages/aix/src/lib/convertor/variable-resolver.ts evaluates configured variables/expressions inside app logic
  • packages/aix/src/tools/generic/database.ts exposes a Postgres SQL tool using internal DATABASE_URL
Evidence against
  • package.json has no preinstall/install/postinstall/prepare lifecycle scripts
  • bin startx points to a user-invoked CLI, not import-time or install-time execution
  • CLI writes/copies scaffold files only into selected workspace/package paths
  • No foreign AI-agent control-surface writes found for Claude/Codex/Cursor/MCP configs
  • Bidi-control search over bundled CLI/source hot paths returned no matches
  • Network endpoints seen are package-aligned app/tool APIs such as Open-Meteo and configurable axios clients
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareUrlStrings
ManifestNo manifest risk signals triggered.
scanned 259 file(s), 1.20 MB of source, external domains: api.anthropic.com, api.cerebras.ai, api.groq.com, api.open-meteo.com, app.com, dotenvx.com, fonts.googleapis.com, fonts.gstatic.com, geocoding-api.open-meteo.com, github.com, json-schema.org

Source & flagged code

7 flagged · loading source
apps/cli/src/commands/common/hashing.tsView file
27patternName = generic_password severity = medium line = 27 matchedText = logger.i..."`);
Medium
Secret Pattern

Package contains a possible secret pattern.

apps/cli/src/commands/common/hashing.tsView on unpkg · L27
packages/aix/src/lib/convertor/variable-resolver.tsView file
129if (v.type === "fn") { L130: parsed = eval(`(function() { L131: return (function() {
Low
Eval

Package source references a known benign dynamic code generation pattern.

packages/aix/src/lib/convertor/variable-resolver.tsView on unpkg · L129
apps/startx-cli/dist/index.mjsView file
177contains invisible/control Unicode U+FEFF (zero width no-break space) `};delete e.items,Object.assign(e,{type:n,source:t,end:[r]});break}default:{let r=`indent`in e?e.indent:-1,i=`end`in e&&Array.isArray(e.end)?e.end.filter(e=>e.type===`space`||e.type===`comment`||e.type===`newline`):[];for(let t of Object.ke
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

apps/startx-cli/dist/index.mjsView on unpkg · L177
Trigger-reachable chain: manifest.bin -> apps/startx-cli/dist/index.mjs Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

apps/startx-cli/dist/index.mjsView on unpkg
61`)[0]}\n`),Error.captureStackTrace(this,e)}};t.exports=e=>{if(e.length>2)throw new n(e);function t(e={}){this.options=e}t.prototype.transform=e;function r(e){return new t(e)}return... L62: `)!=-1,a=this._styles,s=a.length;s--;){var c=i[a[s]];e=c.open+e.replace(c.closeRe,c.open)+c.close,t&&(e=e.replace(o,function(e){return c.close+e+c.open}))}return e}n.setTheme=funct... L63: `));return!0}t.exports=(...e)=>{let t=n(r(e)),i=t();return i.Format=t.Format,i},t.exports.cascade=r})),vg=v(((e,t)=>{let{hasOwnProperty:n}=Object.prototype,r=_();r.configure=_,r.st...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

apps/startx-cli/dist/index.mjsView on unpkg · L61
packages/aix/src/tools/system/index.tsView file
233try { L234: contextValue = JSON.parse(contextValue); L235: } catch {
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

packages/aix/src/tools/system/index.tsView on unpkg · L233
packages/ui/src/api/use-api/react-query/use-api.tsView file
matchType = previous_version_dangerous_delta matchedPackage = startx@1.1.32 matchedIdentity = npm:c3RhcnR4:1.1.32 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

packages/ui/src/api/use-api/react-query/use-api.tsView on unpkg

Findings

3 Critical7 Medium5 Low
CriticalTrojan Source Unicodeapps/startx-cli/dist/index.mjs
CriticalTrigger Reachable Dangerous Capabilityapps/startx-cli/dist/index.mjs
CriticalPrevious Version Dangerous Deltapackages/ui/src/api/use-api/react-query/use-api.ts
MediumSecret Patternapps/cli/src/commands/common/hashing.ts
MediumDynamic Requireapps/startx-cli/dist/index.mjs
MediumUnsafe Vm Contextpackages/aix/src/tools/system/index.ts
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalpackages/aix/src/lib/convertor/variable-resolver.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings