AI Security Review
scanned 6h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. Risky primitives are tied to explicit scaffolding or AI tool commands rather than install-time execution, stealth persistence, or exfiltration.
Decision evidence
public snapshot- apps/startx-cli/src/commands/package.ts can write scaffold files and optionally spawn package-manager install, but only after explicit CLI commands/prompts.
- packages/aix/src/tools/system/index.ts exposes VM-backed JavaScript helper tools as user-invoked AI framework functionality.
- packages/aix/src/lib/convertor/variable-resolver.ts evaluates stored fn variables/expressions in QuickJS for template interpolation.
- package.json has no preinstall/install/postinstall lifecycle hooks; only bin startx points to apps/startx-cli/dist/index.mjs.
- apps/startx-cli/src/index.ts only registers commander commands ping/init/package and does not perform import-time mutation or network activity.
- apps/startx-cli/src/commands/init.ts and package.ts implement project scaffolding into user-selected workspaces with overwrite prompts.
- No credential harvesting or exfiltration path found in inspected CLI entrypoints or hot files.
- Network use found is package-aligned app/tool code, not install-time or hidden exfiltration.
- Scanner secret hit in apps/cli/src/commands/common/hashing.ts is a user-supplied password hashing command, not embedded secret material.
Source & flagged code
6 flagged · loading sourcePackage contains a possible secret pattern.
apps/cli/src/commands/common/hashing.tsView on unpkg · L27Package source references a known benign dynamic code generation pattern.
packages/aix/src/lib/convertor/variable-resolver.tsView on unpkg · L129Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
apps/startx-cli/dist/index.mjsView on unpkg · L177A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
apps/startx-cli/dist/index.mjsView on unpkgPackage source references dynamic require/import behavior.
apps/startx-cli/dist/index.mjsView on unpkg · L61Package source executes code through a VM context API.
packages/aix/src/tools/system/index.tsView on unpkg · L233