registry  /  super-api-tester  /  1.5.9

super-api-tester@1.5.9

A high-performance, schema-driven API automation framework.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The CLI mutates the caller project and installs dev dependencies only after an explicit init command, which is package-aligned scaffolding behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `super-api-tester init` or imports API client code.
Impact
Creates test scaffold and updates package scripts; runtime HTTP requests go to user-supplied API targets.
Mechanism
user-invoked project scaffolding and API test HTTP client
Rationale
Source inspection shows risky primitives in the CLI, but they are explicit setup behavior documented by the package and not install/import-time malware. No credential theft, hidden exfiltration, persistence, destructive behavior, or unconsented execution was found.
Evidence
package.jsonbin/cli.jsdist/index.jsdist/index.cjsreadme.mddist/index.d.tstest/test.spec.js
Network endpoints1
api.restful-api.dev

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • bin/cli.js uses execSync to run `npm install super-api-tester vitest --save-dev` during `super-api-tester init`.
  • bin/cli.js writes `package.json` and `test/test.spec.js` in the caller workspace when init is invoked.
Evidence against
  • package.json has no install/postinstall lifecycle; only prepublishOnly build.
  • bin/cli.js behavior is gated behind explicit `init` command and matches README setup flow.
  • dist/index.js and dist/index.cjs implement an API test client; fetch is only used for caller-supplied URLs or default test base URL.
  • No credential/env harvesting, persistence, destructive deletion, obfuscated payload, or external exfiltration endpoint found.
  • Dynamic Function/eval-like findings are bundled Vitest/Vite code, not package attack logic.
Behavioral surface
Source
ChildProcessEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 1.19 MB of source, external domains: api.restful-api.dev, github.com, vitest.dev

Source & flagged code

4 flagged · loading source
bin/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = super-api-tester@1.6.6 matchedIdentity = npm:c3VwZXItYXBpLXRlc3Rlcg:1.6.6 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/cli.jsView on unpkg
4import path from 'path'; L5: import { execSync } from 'child_process'; L6:
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L4
4import path from 'path'; L5: import { execSync } from 'child_process'; L6: ... L16: Available commands: L17: npx super-api-tester init - Setup your automated test environment L18: `);
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/cli.jsView on unpkg · L4
dist/index.jsView file
13912snapshotContents = content; L13913: const populate = new Function("exports", snapshotContents); L13914: populate(data);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L13912

Findings

1 Critical3 High2 Medium6 Low
CriticalPrevious Version Dangerous Deltabin/cli.js
HighChild Processbin/cli.js
HighShell
HighRuntime Package Installbin/cli.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings