registry  /  super-api-tester  /  1.6.7

super-api-tester@1.6.7

A high-performance, schema-driven API automation framework.

AI Security Review

scanned 12h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Risky behavior is an explicit API-testing CLI that can generate, run, and heal tests using Gemini and Vitest.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs super-api-tester init, heal/run, or --ai
Impact
May modify project test files/package.json and send test code/logs to Gemini as documented functionality
Mechanism
user-invoked AI test generation/healing and test execution
Rationale
The suspicious primitives are package-aligned, documented, and activated by explicit CLI commands rather than npm install/import-time execution. I found no hidden exfiltration, persistence, destructive behavior, or agent-control hijack.
Evidence
package.jsonbin/cli.jsbin/aiGenerator.jsbin/aiHealer.jsdist/index.jsdist/index.cjsdist/client.jsreadme.mdtest/test.spec.jstest/ai-generated-${Date.now()}.spec.ts${filePath}.bakfilePath
Network endpoints3
generativelanguage.googleapis.com/v1beta/models/${modelName}:generateContentapi.example.com/endpointapi.restful-api.dev

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
  • bin/aiHealer.js sends test source and failure logs to Gemini when user runs heal and a test fails
  • bin/cli.js init rewrites project package.json/test file and runs npm install, but only from explicit CLI command
Evidence against
  • package.json has no install/postinstall/prepare lifecycle hook; prepublishOnly is publish-time build only
  • bin/cli.js behavior is exposed through the declared super-api-tester CLI, not import-time execution
  • bin/aiGenerator.js only writes generated specs under ./test after explicit --ai use
  • dist/index.js and dist/index.cjs implement API test client fetch/request wrappers with user-supplied URLs
  • No credential harvesting, persistence, destructive deletion, broad agent control-surface writes, or hidden endpoints found
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 2.39 MB of source, external domains: api.example.com, api.restful-api.dev, generativelanguage.googleapis.com, github.com, vitest.dev

Source & flagged code

4 flagged · loading source
bin/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = super-api-tester@1.6.6 matchedIdentity = npm:c3VwZXItYXBpLXRlc3Rlcg:1.6.6 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/cli.jsView on unpkg
4import path from 'path'; L5: import { exec, execSync } from 'child_process'; L6: import { generateAndRunAiTest } from './aiGenerator.js';
High
Child Process

Package source references child process execution.

bin/cli.jsView on unpkg · L4
79// Run vitest on the ENTIRE test folder directory natively L80: const runCommand = `npx vitest run test/ --reporter=verbose`; L81: L82: const child = exec(runCommand, async (error, stdout, stderr) => { L83: const fullLog = stdout + '\n' + stderr;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/cli.jsView on unpkg · L79
dist/client.jsView file
13915snapshotContents = content; L13916: const populate = new Function("exports", snapshotContents); L13917: populate(data);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/client.jsView on unpkg · L13915

Findings

1 Critical3 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltabin/cli.js
HighChild Processbin/cli.js
HighShell
HighRuntime Package Installbin/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/client.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings