AI Security Review
scanned 6h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a user-invoked monorepo scaffolding CLI with template code that includes optional AI/VM and network-capable utilities.
Decision evidence
public snapshot- packages/aix/src/tools/system/index.ts exposes VM JavaScript execution tools when the optional aix template is used.
- apps/startx-cli/src/commands/package.ts can run the workspace package manager after an explicit prompt unless --no-install is used.
- apps/startx-cli/src/commands/init.ts writes .vscode settings/extensions into newly scaffolded workspaces.
- package.json has no preinstall/install/postinstall lifecycle hooks; only bin startx is exposed.
- apps/startx-cli/src/index.ts only registers commander subcommands; behavior is user-invoked.
- apps/startx-cli/src/commands/init.ts and package.ts scaffold/copy template files and prompt before overwriting existing destinations.
- apps/startx-cli/src/commands/package.ts spawn usage is limited to pnpm/yarn/npm install in the target workspace after dependency prompts.
- Network references found are package-aligned app/template code such as OpenAI provider and Open-Meteo weather tools, not install/import-time exfiltration.
- The dist Unicode hits are ANSI/control characters from bundled prompt UI, not source-hiding Trojan Source logic.
Source & flagged code
6 flagged · loading sourcePackage contains a possible secret pattern.
apps/cli/src/commands/common/hashing.tsView on unpkg · L27Package source references a known benign dynamic code generation pattern.
packages/aix/src/lib/convertor/variable-resolver.tsView on unpkg · L129Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
apps/startx-cli/dist/index.mjsView on unpkg · L177A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
apps/startx-cli/dist/index.mjsView on unpkgPackage source references dynamic require/import behavior.
apps/startx-cli/dist/index.mjsView on unpkg · L61Package source executes code through a VM context API.
packages/aix/src/tools/system/index.tsView on unpkg · L233