spoint
Fail
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: HIGHDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The
src/sdk/StaticHandler.jsfile contains a path traversal vulnerability in thecreateStaticHandlerfunction. The implementation constructs file paths by joining a base directory with a path derived from the request URL without properly validating that the resulting path remains within the intended directory boundaries. An attacker can exploit this using..sequences to read arbitrary files from the server filesystem that the Node.js process has permission to access.\n- [REMOTE_CODE_EXECUTION]: The application loading mechanism insrc/apps/AppLoader.jsuses a weak security boundary to validate game "app" code. The_validatefunction only checks for a small set of blocked string patterns (such aseval(andrequire(), which can be easily bypassed using standard JavaScript obfuscation techniques. The loader then executes this code using dynamicimport()ornew Function(), allowing for arbitrary code execution on the server hosting the SDK.\n- [REMOTE_CODE_EXECUTION]: The integrated 3D scene editor (client/editor/js/libs/app.js) evaluated script content using thenew Functionconstructor. This could allow for arbitrary JavaScript execution in a user's browser if a malicious project file is loaded into the editor.\n- [EXTERNAL_DOWNLOADS]: The engine is configured to download 3D models and other assets from the author's official GitHub repository athttps://raw.githubusercontent.com/AnEntrypoint/assets/. These downloads are processed byclient/ModelCache.jsand are handled as trusted vendor resources.\n- [COMMAND_EXECUTION]: The SDK includes a CLI toolbin/create-app.jsfor scaffolding applications. While functional, it constructs filesystem paths using unsanitized user-provided app names, which could lead to file write operations outside the intended directory. Additionally, the documentation suggests using commands likebunx spointandnode server.jsto manage the environment.
Recommendations
- AI detected serious security threats
Audit Metadata