registry  /  toiljs  /  0.0.94

toiljs@0.0.94

The modern React framework: a file-based React frontend and a ToilScript-compiled WebAssembly backend.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `toiljs create` and accepts/defaults AI helper files
Impact
Generated project may include AGENTS.md/CLAUDE.md/Cursor/Copilot instruction pointers to toiljs docs
Mechanism
explicit scaffold writes project assistant pointer files
Rationale
Static inspection found no unconsented lifecycle behavior, exfiltration, remote payload execution, or destructive actions. Because the package does explicitly create AI assistant instruction files during a user command, treat it as a lifecycle/control-surface warning rather than malicious.
Evidence
package.jsonsrc/cli/create.tssrc/compiler/docs.tssrc/cli/notify.tssrc/cli/proc.tssrc/compiler/plugin.tssrc/devserver/email/providers.tsAGENTS.mdCLAUDE.md.cursor/rules/toiljs.mdc.github/copilot-instructions.md.toil/docs/
Network endpoints4
registry.npmjs.org/toiljs/latestapi.openai.com/v1/chat/completionsapi.anthropic.com/v1/messagesapi.resend.com/emails

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
  • src/cli/create.ts scaffolds AI assistant files by default during `toiljs create` unless `--no-ai` or deselected.
  • src/compiler/docs.ts defines CLAUDE.md, AGENTS.md, Cursor, and Copilot pointer-file contents for generated projects.
Evidence against
  • package.json has no preinstall/install/postinstall hooks; only prepublishOnly build.
  • src/cli/notify.ts npm registry update check is bounded, opt-out, cache-only, and package-aligned.
  • src/cli/proc.ts child_process use supports explicit CLI actions such as create/configure/update/build.
  • src/compiler/plugin.ts AI proxy is devserver-only, config-gated, same-origin checked, and uses user-configured keys/endpoints.
  • No credential harvesting, stealth persistence, destructive behavior, or import/install-time execution found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 345 file(s), 3.26 MB of source, external domains: 127.0.0.1, analytics.example.com, api.anthropic.com, api.example.com, api.openai.com, api.resend.com, cdn.example-analytics.com, cdn.example.com, cdn.jsdelivr.net, chatgpt.com, claude.ai, example.com, github.com, myaccount.google.com, nodejs.org, registry.npmjs.org, schema.org, toil.example, toil.org, vitejs.dev, widget.example.com, www.sitemaps.org, www.w3.org

Source & flagged code

4 flagged · loading source
tests/data-parity/generated-parity.tsView file
9import { fileURLToPath, pathToFileURL } from "node:url"; L10: import { spawnSync } from "node:child_process"; L11: const here = dirname(fileURLToPath(import.meta.url));
High
Child Process

Package source references child process execution.

tests/data-parity/generated-parity.tsView on unpkg · L9
60// Generated side: build the same value with the generated Foo class and encode. L61: const gen = (await import(pathToFileURL(modPath).href)) as { L62: Foo: new () => {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

tests/data-parity/generated-parity.tsView on unpkg · L60
build/cli/index.jsView file
1601const stdio = opts.stdio ?? "ignore"; L1602: const child = onWindows ? spawn([cmd, ...args].join(" "), { cwd, stdio, shell: true }) : spawn(cmd, args, { cwd, stdio }); L1603: child.on("error", reject);
High
Shell

Package source references shell execution.

build/cli/index.jsView on unpkg · L1601
build/compiler/plugin.jsView file
1import { spawn } from 'node:child_process'; L2: import fs from 'node:fs'; ... L11: async function aiComplete(ai, prompt) { L12: const key = ai.apiKeyEnv ? process.env[ai.apiKeyEnv] : undefined; L13: if (ai.endpoint) { L14: const r = await fetch(ai.endpoint, { L15: method: 'POST',
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

build/compiler/plugin.jsView on unpkg · L1

Findings

3 High4 Medium5 Low
HighChild Processtests/data-parity/generated-parity.ts
HighShellbuild/cli/index.js
HighSame File Env Network Executionbuild/compiler/plugin.js
MediumDynamic Requiretests/data-parity/generated-parity.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings