registry  /  @athsra/cli  /  1.2.5

@athsra/cli@1.2.5

athsra CLI — E2EE secret manager on Cloudflare edge. Doppler-style dev UX + zero-knowledge encryption + soft-delete + version history. MIT.

AI Security Review

scanned 23h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a secret-manager CLI with user-invoked MCP registration and opt-in agent tools, but no lifecycle or import-time mutation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs athsra commands such as login, run, mcp, or mcp install --apply
Impact
Can store tokens/master password in OS keyring, contact athsra/modfolio services, inject secrets into user-specified commands, and optionally register an MCP server when explicitly applied.
Mechanism
CLI secret-manager operations and optional MCP stdio server registration
Rationale
The scanner’s reverse-shell finding is explained by browser-opening and localhost OIDC callback code, not socket-to-shell wiring. MCP config writes are explicit CLI `mcp install --apply` behavior, not unconsented lifecycle mutation, so the package does not meet malicious criteria.
Evidence
package.jsonsrc/index.tssrc/lib/oidc-flow.tssrc/commands/login.tssrc/commands/mcp.tssrc/lib/mcp-register.ts~/.athsra/config.json~/.claude.json~/.cursor/mcp.json.mcp.json.cursor/mcp.json.vscode/mcp.json.athsra/secrets.json
Network endpoints6
login.modfolio.io/.well-known/openid-configurationconnect.modfolio.ioathsra-worker.winterermod.workers.devapi.cloudflare.com/client/v4registry.npmjs.org/@athsra/cli/latestathsra.com/schema/secrets-manifest-v1.json

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • src/commands/mcp.ts has user-invoked `athsra mcp install --apply` that can write Claude/Cursor/VSCode MCP config files.
  • src/lib/mcp-register.ts supports user-scope targets `~/.claude.json` and `~/.cursor/mcp.json`.
  • MCP server exposes secret-manager tools; write/admin/value capabilities are gated by ATHSRA_MCP_* env flags.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts.
  • src/index.ts only dispatches CLI commands after user invocation; mcp is lazy-loaded only for `athsra mcp`.
  • src/lib/oidc-flow.ts child_process use opens a browser for OIDC login; loopback server binds 127.0.0.1 and validates state.
  • Network endpoints are package-aligned: modfolio/athsra auth, worker, npm update check, and Cloudflare API for adoption.
  • No evidence of credential harvesting/exfiltration beyond documented secret-manager login/keyring/token workflows.
  • No prompt injection or unconsented foreign AI-agent config mutation found at install/import time.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 69 file(s), 488 KB of source, external domains: 127.0.0.1, api.cloudflare.com, athsra-worker.winterermod.workers.dev, athsra.com, connect.modfolio.io, github.com, login.modfolio.io, registry.npmjs.org

Source & flagged code

5 flagged · loading source
src/lib/oidc-flow.tsView file
5* (PKCE 생성 → loopback callback → /token 교환)을 독립 모듈로. login.ts 는 athsra 고유 셸 L6: * (keyring·config·worker /auth/sso 교환·master pw)만 유지. 동작·출력·exit code 보존 (순수 추출). L7: * ... L10: L11: import { spawn } from 'node:child_process'; L12: import { createHash, randomBytes } from 'node:crypto'; L13: import { readFileSync } from 'node:fs'; L14: import { createServer, type IncomingMessage, type ServerResponse } from 'node:http'; L15: import { errMessage, isRecord } from './err.ts'; ... L96: if (res.ok) { L97: const doc: unknown = await res.json(); L98: if (hasOidcEndpoints(doc)) {
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

src/lib/oidc-flow.tsView on unpkg · L5
5Trigger-reachable chain: manifest.main -> src/index.ts -> src/commands/login.ts -> src/lib/oidc-flow.ts L5: * (PKCE 생성 → loopback callback → /token 교환)을 독립 모듈로. login.ts 는 athsra 고유 셸 L6: * (keyring·config·worker /auth/sso 교환·master pw)만 유지. 동작·출력·exit code 보존 (순수 추출). L7: * ... L10: L11: import { spawn } from 'node:child_process'; L12: import { createHash, randomBytes } from 'node:crypto'; L13: import { readFileSync } from 'node:fs'; L14: import { createServer, type IncomingMessage, type ServerResponse } from 'node:http'; L15: import { errMessage, isRecord } from './err.ts'; ... L96: if (res.ok) { L97: const doc: unknown = await res.json(); L98: if (hasOidcEndpoints(doc)) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

src/lib/oidc-flow.tsView on unpkg · L5
10L11: import { spawn } from 'node:child_process'; L12: import { createHash, randomBytes } from 'node:crypto';
High
Child Process

Package source references child process execution.

src/lib/oidc-flow.tsView on unpkg · L10
281const platform = process.platform; L282: // WSL — Linux 플랫폼이지만 xdg-open 이 호스트 브라우저로 연결 안 됨. wslview/powershell 폴백. L283: if (platform === 'linux' && isWsl()) {
High
Shell

Package source references shell execution.

src/lib/oidc-flow.tsView on unpkg · L281
src/commands/login.tsView file
82const existing = loadConfig(); L83: const envUrl = process.env.ATHSRA_WORKER_URL; L84: const workerUrl = ... L86: envUrl ?? L87: (await promptText('Worker URL', 'https://athsra-worker.winterermod.workers.dev')); L88: const machineId = existing?.machineId ?? `${hostname()}-${Date.now().toString(36)}`; L89: ... L127: headers: { 'content-type': 'application/json' }, L128: body: JSON.stringify({ access_token: accessToken, label: machineId }), L129: }); L130: if (!ssoRes.ok) { L131: console.error(`✗ athsra worker SSO failed: ${ssoRes.status} ${await ssoRes.text()}`);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

src/commands/login.tsView on unpkg · L82

Findings

2 Critical3 High3 Medium4 Low
CriticalReverse Shellsrc/lib/oidc-flow.ts
CriticalTrigger Reachable Dangerous Capabilitysrc/lib/oidc-flow.ts
HighChild Processsrc/lib/oidc-flow.ts
HighShellsrc/lib/oidc-flow.ts
HighSandbox Evasion Gated Capabilitysrc/commands/login.ts
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings