registry  /  toiljs  /  0.0.86

toiljs@0.0.86

The modern React framework: a file-based React frontend and a ToilScript-compiled WebAssembly backend.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `toiljs create` with AI helper files enabled, or configures devtools AI/email/update features.
Impact
Creates framework guidance files and may call configured package-aligned network services during CLI/devserver use; no unconsented install-time mutation or exfiltration was confirmed.
Mechanism
User-command project scaffolding and framework dev tooling
Rationale
Source inspection shows package-aligned CLI/devserver functionality with no install-time execution, credential harvesting, or unconsented broad agent-control mutation. Because `toiljs create` can explicitly scaffold AI-agent instruction files by default, treat as a warning-level agent capability surface rather than malicious behavior.
Evidence
package.jsonsrc/compiler/docs.tssrc/cli/create.tssrc/compiler/plugin.tssrc/cli/proc.tssrc/cli/notify.tssrc/devserver/email/providers.tsAGENTS.mdCLAUDE.md.cursor/rules/toiljs.mdc.github/copilot-instructions.md.toil/docs/index.md.cache/toiljs/update-check.json
Network endpoints4
api.openai.com/v1/chat/completionsapi.anthropic.com/v1/messagesapi.resend.com/emailsregistry.npmjs.org/toiljs/latest

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/compiler/docs.ts defines AI helper pointer files for CLAUDE.md, AGENTS.md, .cursor/rules/toiljs.mdc, and .github/copilot-instructions.md.
  • src/cli/create.ts selects AI helper files by default for `toiljs create`, but exposes `--no-ai` and an interactive None option.
  • src/compiler/plugin.ts includes a dev-only AI proxy reading configured API-key env vars and posting prompts to OpenAI/Anthropic/custom endpoints.
Evidence against
  • package.json has only prepublishOnly; no preinstall/install/postinstall lifecycle execution.
  • AI helper contents are framework documentation pointers to .toil/docs, not prompt-injection, credential access, or command instructions.
  • src/compiler/plugin.ts dev endpoints reject cross-site requests and constrain file access to the project root via realpath checks.
  • src/cli/proc.ts child_process usage supports explicit CLI actions such as create/update/install/git, not import-time execution.
  • Network usage is package-aligned: update checks, dev AI proxy, local dev proxy/WebSocket, and configured email sending.
  • No evidence of credential harvesting, stealth persistence, destructive behavior, or remote payload loading at install/import time.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 344 file(s), 2.30 MB of source, external domains: api.anthropic.com, api.example.com, api.openai.com, api.resend.com, cdn.jsdelivr.net, chatgpt.com, claude.ai, github.com, myaccount.google.com, registry.npmjs.org, toil.example, toil.org, www.sitemaps.org, www.w3.org

Source & flagged code

5 flagged · loading source
tests/data-parity/generated-parity.tsView file
9import { fileURLToPath, pathToFileURL } from "node:url"; L10: import { spawnSync } from "node:child_process"; L11: const here = dirname(fileURLToPath(import.meta.url));
High
Child Process

Package source references child process execution.

tests/data-parity/generated-parity.tsView on unpkg · L9
60// Generated side: build the same value with the generated Foo class and encode. L61: const gen = (await import(pathToFileURL(modPath).href)) as { L62: Foo: new () => {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

tests/data-parity/generated-parity.tsView on unpkg · L60
build/cli/index.jsView file
1591const stdio = opts.stdio ?? "ignore"; L1592: const child = onWindows ? spawn([cmd, ...args].join(" "), { cwd, stdio, shell: true }) : spawn(cmd, args, { cwd, stdio }); L1593: child.on("error", reject);
High
Shell

Package source references shell execution.

build/cli/index.jsView on unpkg · L1591
build/compiler/plugin.jsView file
1import { spawn } from 'node:child_process'; L2: import fs from 'node:fs'; ... L11: async function aiComplete(ai, prompt) { L12: const key = ai.apiKeyEnv ? process.env[ai.apiKeyEnv] : undefined; L13: if (ai.endpoint) { L14: const r = await fetch(ai.endpoint, { L15: method: 'POST',
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

build/compiler/plugin.jsView on unpkg · L1
build/compiler/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = toiljs@0.0.84 matchedIdentity = npm:dG9pbGpz:0.0.84 similarity = 0.892 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

build/compiler/index.jsView on unpkg

Findings

4 High4 Medium5 Low
HighChild Processtests/data-parity/generated-parity.ts
HighShellbuild/cli/index.js
HighSame File Env Network Executionbuild/compiler/plugin.js
HighPrevious Version Dangerous Deltabuild/compiler/index.js
MediumDynamic Requiretests/data-parity/generated-parity.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings