registry  /  toiljs  /  0.0.106

toiljs@0.0.106

The modern React framework: a file-based React frontend and a ToilScript-compiled WebAssembly backend.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs toiljs create with AI helper files enabled or starts dev server with devtools AI configured.
Impact
May influence project-local AI assistant behavior or send user prompts to configured AI provider during dev; no install-time or stealth mutation found.
Mechanism
first-party scaffolding and dev tooling
Rationale
Source inspection shows package-aligned framework scaffolding, build/dev tooling, update checks, and email/AI integrations, but no unconsented install-time execution or concrete malicious chain. Because it can explicitly create AI assistant instruction files, treat as a warning-level agent capability surface rather than malware.
Evidence
package.jsonsrc/compiler/docs.tssrc/cli/create.tssrc/compiler/plugin.tssrc/cli/proc.tssrc/cli/notify.tssrc/devserver/email/providers.tsCLAUDE.mdAGENTS.md.cursor/rules/toiljs.mdc.github/copilot-instructions.md.toil/docs/*
Network endpoints4
registry.npmjs.org/toiljs/latestapi.openai.com/v1/chat/completionsapi.anthropic.com/v1/messagesapi.resend.com/emails

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/compiler/docs.ts defines optional AI assistant pointer files: CLAUDE.md, AGENTS.md, .cursor/rules/toiljs.mdc, and Copilot instructions.
  • src/cli/create.ts scaffolds those helper files by default unless --no-ai or deselected.
  • build/compiler/plugin.js exposes dev-only /__toil/ai proxy to configured OpenAI/Anthropic/custom endpoint using env API keys.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build.
  • src/compiler/plugin.ts confines /__toil/open and /__toil/source to project root via realpath and blocks cross-site Sec-Fetch-Site.
  • src/cli/create.ts validates project dir stays under cwd and package manager is allowlisted.
  • src/cli/proc.ts child_process use runs fixed tool commands for create/update/configure/build workflows.
  • src/cli/notify.ts registry fetch is package-aligned update check and honors opt-out env vars.
  • No credential harvesting, stealth persistence, destructive behavior, or remote payload execution found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 347 file(s), 3.50 MB of source, external domains: 127.0.0.1, analytics.example.com, api.anthropic.com, api.example.com, api.openai.com, api.resend.com, cdn.example-analytics.com, cdn.example.com, cdn.jsdelivr.net, chatgpt.com, claude.ai, example.com, github.com, myaccount.google.com, nodejs.org, registry.npmjs.org, schema.org, toil.example, toil.org, vitejs.dev, widget.example.com, www.scylladb.com, www.sitemaps.org, www.w3.org

Source & flagged code

5 flagged · loading source
tests/data-parity/generated-parity.tsView file
9import { fileURLToPath, pathToFileURL } from "node:url"; L10: import { spawnSync } from "node:child_process"; L11: const here = dirname(fileURLToPath(import.meta.url));
High
Child Process

Package source references child process execution.

tests/data-parity/generated-parity.tsView on unpkg · L9
60// Generated side: build the same value with the generated Foo class and encode. L61: const gen = (await import(pathToFileURL(modPath).href)) as { L62: Foo: new () => {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

tests/data-parity/generated-parity.tsView on unpkg · L60
build/cli/index.jsView file
1601const stdio = opts.stdio ?? "ignore"; L1602: const child = onWindows ? spawn([cmd, ...args].join(" "), { cwd, stdio, shell: true }) : spawn(cmd, args, { cwd, stdio }); L1603: child.on("error", reject);
High
Shell

Package source references shell execution.

build/cli/index.jsView on unpkg · L1601
build/compiler/plugin.jsView file
1import { spawn } from 'node:child_process'; L2: import fs from 'node:fs'; ... L11: async function aiComplete(ai, prompt) { L12: const key = ai.apiKeyEnv ? process.env[ai.apiKeyEnv] : undefined; L13: if (ai.endpoint) { L14: const r = await fetch(ai.endpoint, { L15: method: 'POST',
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

build/compiler/plugin.jsView on unpkg · L1
build/compiler/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = toiljs@0.0.104 matchedIdentity = npm:dG9pbGpz:0.0.104 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

build/compiler/index.jsView on unpkg

Findings

4 High4 Medium5 Low
HighChild Processtests/data-parity/generated-parity.ts
HighShellbuild/cli/index.js
HighSame File Env Network Executionbuild/compiler/plugin.js
HighPrevious Version Dangerous Deltabuild/compiler/index.js
MediumDynamic Requiretests/data-parity/generated-parity.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings