registry  /  systemview  /  2.0.0

systemview@2.0.0

A documentation and testing suite for SystemLynx

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious payload or install-time attack was found. A real CLI command-injection risk exists when opening URLs because user-controlled arguments are interpolated into a shell command.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs systemview open with crafted project_code or namespace
Impact
Possible local command execution under the invoking user's account; otherwise package behavior is aligned with a local documentation/testing tool.
Mechanism
unescaped child_process.exec browser launch
Attack narrative
The package does not execute during installation. When invoked, it starts a localhost SystemView server and can connect to user-supplied SystemLynx service URLs. The clearest security issue is cli/openBrowser.js using child_process.exec with unescaped command arguments derived from CLI input or manifest service metadata, enabling shell injection if a user supplies a crafted value.
Rationale
Static inspection supports a documentation/testing CLI with local server and user-directed network behavior, not malware. The unescaped exec and global TLS-disable behavior are significant security risks, so warning is appropriate rather than a publish block for malicious intent.
Evidence
package.jsoncli/index.jscli/openBrowser.jscli/cookieClient.jscli/connectService.jscli/probe.jscli/runTests.jsapi/index.jsapi/Connections.jssystemview.manifest.jsonsystemview.cookies.jsonapi/connections.jsonsystemview.logs
Network endpoints3
localhost:3000localhost:3000/systemview/apiuser-supplied serviceUrl from systemview.manifest.json or CLI

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • cli/openBrowser.js passes user-controlled project_code/namespace into child_process.exec without shell escaping
  • cli/index.js disables TLS verification with NODE_TLS_REJECT_UNAUTHORIZED="0" at CLI startup
  • cli/cookieClient.js persists captured Set-Cookie values to ./systemview.cookies.json
  • api/index.js exposes local shutdown/log/connect methods under localhost SystemView API
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks
  • bin cli/index.js only runs when user invokes systemview command
  • network use is local SystemView API or user/manifest-supplied SystemLynx service URLs
  • no credential harvesting, broad filesystem crawling, persistence, or external hardcoded exfiltration endpoint found
  • build/static/js findings appear bundled React/app code, not install-time remote payload execution
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 30 file(s), 1.51 MB of source, external domains: atelierbram.github.io, chriskempson.com, clrs.cc, cscorley.github.io, ethanschoonover.com, fb.me, github.com, hart-dev.com, momentjs.com, railscasts.com, reactjs.org, sethawright.com, tybenz.com, www.monokai.nl, www.w3.org

Source & flagged code

5 flagged · loading source
cli/openBrowser.jsView file
1const { exec } = require("child_process"); L2: const resolveNamespace = require("./utils/resolveNamespace");
High
Child Process

Package source references child process execution.

cli/openBrowser.jsView on unpkg · L1
build/static/js/main.72103448.jsView file
1/*! For license information please see main.72103448.js.LICENSE.txt */ L2: (()=>{var e={3240(e){"use strict";var t=Object.prototype.hasOwnProperty,n=Object.prototype.toString,r=Object.defineProperty,a=Object.getOwnPropertyDescriptor,o=function(e){return"f... L3: //# sourceMappingURL=main.72103448.js.map
Critical
Download Execute

Source downloads or fetches remote code and executes it.

build/static/js/main.72103448.jsView on unpkg · L1
1/*! For license information please see main.72103448.js.LICENSE.txt */ L2: (()=>{var e={3240(e){"use strict";var t=Object.prototype.hasOwnProperty,n=Object.prototype.toString,r=Object.defineProperty,a=Object.getOwnPropertyDescriptor,o=function(e){return"f... L3: //# sourceMappingURL=main.72103448.js.map
High
Eval

Package source references dynamic code evaluation.

build/static/js/main.72103448.jsView on unpkg · L1
cli/cookieClient.jsView file
1const axios = require("axios").default; L2: const FormData = require("form-data");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

cli/cookieClient.jsView on unpkg · L1
cli/index.jsView file
2Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network L2: L3: process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; L4: ... L23: const DEFAULT_PORT = 3000; L24: const VERSION = require("../package.json").version; L25: ... L37: const namespace = input[2]; L38: const url = `http://localhost:${DEFAULT_PORT}`; L39: try { L40: await launchApp(DEFAULT_PORT); L41: const exitCode = await runTests(url, project_code, namespace, { L42: json: flags.json,
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

cli/index.jsView on unpkg · L2

Findings

1 Critical3 High4 Medium6 Low
CriticalDownload Executebuild/static/js/main.72103448.js
HighChild Processcli/openBrowser.js
HighEvalbuild/static/js/main.72103448.js
HighEntrypoint Build Divergencecli/index.js
MediumDynamic Requirecli/cookieClient.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License