registry  /  syrax-audit  /  1.0.5

syrax-audit@1.0.5

Herramienta CLI oficial de Syrax para auditar tu código y obtener prompts de reparación de IA.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `syrax-audit` and accepts interactive Husky or autofix prompts.
Impact
Project source rendered as HTML and a Syrax API key are sent to the audit service; selected flows can alter local automation.
Mechanism
Remote HTML audit plus explicit project hook and AI-agent setup.
Rationale
No concrete stealthy or install-time malicious chain is present. Flag as warn because the package explicitly mutates AI-agent configuration and can launch coding agents after a user selection, while also transmitting local HTML to a remote service.
Evidence
package.jsonbin/index.js.envindex.htmldist/index.htmlpublic/index.html.svelte-kit/output/client/index.html.husky/pre-commit.husky/pre-pushsyrax-report.json.cursorrules
Network endpoints2
syrax-analyzer.moisesvalero.es/api/web-audit/cli-analyzelocalhost:5173

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `bin/index.js` reads project `.env` for `SYRAX_API_KEY`.
  • CLI POSTs local HTML and bearer key to Syrax API.
  • Interactive setup installs Husky and writes `.husky` hooks.
  • Premium autofix writes `.cursorrules` and invokes AI CLIs.
Evidence against
  • `package.json` has no npm lifecycle hooks.
  • All mutations require running the CLI; hooks and autofix require prompts.
  • No hidden payload, eval, persistence, or foreign-agent install-time mutation found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 15.6 KB of source, external domains: syrax-analyzer.moisesvalero.es

Source & flagged code

2 flagged · loading source
bin/index.jsView file
4import path from 'path'; L5: import { execSync } from 'child_process'; L6: import prompts from 'prompts';
High
Child Process

Package source references child process execution.

bin/index.jsView on unpkg · L4
301const installCmd = L302: packageManager === 'pnpm' ? 'pnpm add -D husky' : 'npm install --save-dev husky'; L303: execSync(installCmd, { stdio: 'ignore' }); L304: execSync('npx husky init', { stdio: 'ignore' });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/index.jsView on unpkg · L301

Findings

3 High2 Medium3 Low
HighChild Processbin/index.js
HighShell
HighRuntime Package Installbin/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings