registry  /  systemview  /  1.22.0

systemview@1.22.0

A documentation and testing suite for SystemLynx

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time behavior. The main unresolved risk is a user-invoked CLI command injection path in browser opening plus weakened TLS checks.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs systemview open with crafted project_code/namespace or connects to user-selected services
Impact
Potential local command execution via crafted CLI arguments; otherwise local UI/service testing behavior
Mechanism
user-invoked shell exec with unescaped arguments
Rationale
Source inspection does not support a malicious verdict: risky primitives are tied to the documented local UI/service testing workflow and there is no install-time payload, persistence, harvesting, or external C2. The unescaped exec path and global TLS disablement are real security issues, so warn rather than block.
Evidence
package.jsoncli/index.jscli/openBrowser.jscli/cookieClient.jscli/connectService.jscli/manifest.jsapi/index.jsapi/Connections.jsbuild/static/js/main.e9f9f4f8.jssystemview.cookies.jsonsystemview.manifest.jsonapi/connections.jsonapi/cli-history.json
Network endpoints2
localhost:3000localhost:3000/systemview/api

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • cli/openBrowser.js builds a shell command with unescaped URL/path components and passes it to child_process.exec
  • cli/index.js disables TLS certificate validation for the CLI process
  • cli/cookieClient.js stores captured cookies in process.cwd()/systemview.cookies.json
  • api/Connections.js persists connected service metadata under api/connections.json
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • bin cli/index.js only runs when user invokes systemview
  • Network use is package-aligned: localhost UI and user-supplied SystemLynx service URLs
  • No credential harvesting or hardcoded exfiltration endpoint found
  • Build bundle loads http://localhost:3000/systemview/api and scanner eval hit appears from bundled app/source-map identifiers, not remote payload execution
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 32 file(s), 1.54 MB of source, external domains: atelierbram.github.io, chriskempson.com, clrs.cc, cscorley.github.io, ethanschoonover.com, fb.me, github.com, hart-dev.com, momentjs.com, railscasts.com, reactjs.org, sethawright.com, tybenz.com, www.monokai.nl, www.w3.org

Source & flagged code

6 flagged · loading source
cli/openBrowser.jsView file
1const { exec } = require("child_process"); L2: const resolveNamespace = require("./utils/resolveNamespace");
High
Child Process

Package source references child process execution.

cli/openBrowser.jsView on unpkg · L1
build/static/js/main.e9f9f4f8.jsView file
1/*! For license information please see main.e9f9f4f8.js.LICENSE.txt */ L2: (()=>{var e={3240(e){"use strict";var t=Object.prototype.hasOwnProperty,n=Object.prototype.toString,r=Object.defineProperty,a=Object.getOwnPropertyDescriptor,o=function(e){return"f... L3: //# sourceMappingURL=main.e9f9f4f8.js.map
Critical
Download Execute

Source downloads or fetches remote code and executes it.

build/static/js/main.e9f9f4f8.jsView on unpkg · L1
1/*! For license information please see main.e9f9f4f8.js.LICENSE.txt */ L2: (()=>{var e={3240(e){"use strict";var t=Object.prototype.hasOwnProperty,n=Object.prototype.toString,r=Object.defineProperty,a=Object.getOwnPropertyDescriptor,o=function(e){return"f... L3: //# sourceMappingURL=main.e9f9f4f8.js.map
High
Eval

Package source references dynamic code evaluation.

build/static/js/main.e9f9f4f8.jsView on unpkg · L1
cli/cookieClient.jsView file
1const axios = require("axios").default; L2: const FormData = require("form-data");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

cli/cookieClient.jsView on unpkg · L1
cli/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = systemview@1.21.0 matchedIdentity = npm:c3lzdGVtdmlldw:1.21.0 similarity = 0.774 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

cli/index.jsView on unpkg
2Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network L2: L3: process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; L4: ... L24: const DEFAULT_PORT = 3000; L25: const VERSION = require("../package.json").version; L26: const UI_URL = `http://localhost:${DEFAULT_PORT}`; L27: L28: const MANIFEST_FILE = flags.manifest || path.join(process.cwd(), "systemview.manifest.json"); L29: const connectedUrls = new Set(); ... L33: try { L34: const manifest = JSON.parse(fs.readFileSync(MANIFEST_FILE, "utf8")); L35: const services = manifest.services || [manifest];
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

cli/index.jsView on unpkg · L2

Findings

2 Critical3 High4 Medium6 Low
CriticalDownload Executebuild/static/js/main.e9f9f4f8.js
CriticalPrevious Version Dangerous Deltacli/index.js
HighChild Processcli/openBrowser.js
HighEvalbuild/static/js/main.e9f9f4f8.js
HighEntrypoint Build Divergencecli/index.js
MediumDynamic Requirecli/cookieClient.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License