AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The CLI mutates the caller project and installs dev dependencies only after an explicit init command, which is package-aligned scaffolding behavior.
Decision evidence
public snapshot- bin/cli.js uses execSync to run `npm install super-api-tester vitest --save-dev` during `super-api-tester init`.
- bin/cli.js writes `package.json` and `test/test.spec.js` in the caller workspace when init is invoked.
- package.json has no install/postinstall lifecycle; only prepublishOnly build.
- bin/cli.js behavior is gated behind explicit `init` command and matches README setup flow.
- dist/index.js and dist/index.cjs implement an API test client; fetch is only used for caller-supplied URLs or default test base URL.
- No credential/env harvesting, persistence, destructive deletion, obfuscated payload, or external exfiltration endpoint found.
- Dynamic Function/eval-like findings are bundled Vitest/Vite code, not package attack logic.
Source & flagged code
4 flagged · loading sourceThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
bin/cli.jsView on unpkgPackage source invokes a package manager install command at runtime.
bin/cli.jsView on unpkg · L4Package source references a known benign dynamic code generation pattern.
dist/index.jsView on unpkg · L13912