registry  /  @athsra/cli  /  1.2.6

@athsra/cli@1.2.6

athsra CLI — E2EE secret manager on Cloudflare edge. Doppler-style dev UX + zero-knowledge encryption + soft-delete + version history. MIT.

AI Security Review

scanned 6h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Network, keyring, MCP, and child_process behavior are aligned with an E2EE secret-manager CLI and require explicit user commands or opt-in flags.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User-invoked CLI commands such as login, run, mcp, or mcp install --apply
Impact
No install-time execution, unconsented persistence, credential exfiltration, or foreign AI-agent control hijack found.
Mechanism
package-aligned secret management, browser login, MCP server, and env injection
Rationale
Static source inspection found risky primitives, but they are user-invoked and package-aligned for a secret manager CLI. There is no lifecycle hook, automatic foreign agent config mutation, hidden exfiltration, or remote-code payload behavior.
Evidence
package.jsonsrc/index.tssrc/lib/oidc-flow.tssrc/commands/login.tssrc/commands/run.tssrc/commands/mcp.tssrc/lib/mcp-register.tssrc/lib/mcp-tools/run.tssrc/lib/mcp-tools/read.tssrc/lib/mcp-tools/write.ts~/.athsra/config.jsonOS keyring.mcp.json~/.claude.json.cursor/mcp.json.vscode/mcp.json.athsra/secrets.json
Network endpoints5
login.modfolio.io/.well-known/openid-configurationconnect.modfolio.ioathsra-worker.winterermod.workers.devregistry.npmjs.org/@athsra/cli/latestapi.cloudflare.com/client/v4

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks
    • src/index.ts only dispatches explicit athsra CLI commands
    • src/lib/oidc-flow.ts child_process use only opens browser/WSL URL during login
    • src/commands/run.ts executes a user-supplied command only via explicit athsra run
    • src/commands/mcp.ts install is dry-run by default and writes MCP config only with --apply
    • MCP write/value/admin tools are gated by ATHSRA_MCP_* env opt-ins and confirmations
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 69 file(s), 494 KB of source, external domains: 127.0.0.1, api.cloudflare.com, athsra-worker.winterermod.workers.dev, athsra.com, connect.modfolio.io, github.com, login.modfolio.io, registry.npmjs.org

    Source & flagged code

    5 flagged · loading source
    src/lib/oidc-flow.tsView file
    5* (PKCE 생성 → loopback callback → /token 교환)을 독립 모듈로. login.ts 는 athsra 고유 셸 L6: * (keyring·config·worker /auth/sso 교환·master pw)만 유지. 동작·출력·exit code 보존 (순수 추출). L7: * ... L10: L11: import { spawn } from 'node:child_process'; L12: import { createHash, randomBytes } from 'node:crypto'; L13: import { readFileSync } from 'node:fs'; L14: import { createServer, type IncomingMessage, type ServerResponse } from 'node:http'; L15: import { errMessage, isRecord } from './err.ts'; ... L96: if (res.ok) { L97: const doc: unknown = await res.json(); L98: if (hasOidcEndpoints(doc)) {
    Critical
    Reverse Shell

    Source matches reverse-shell style process and socket wiring.

    src/lib/oidc-flow.tsView on unpkg · L5
    5Trigger-reachable chain: manifest.main -> src/index.ts -> src/commands/login.ts -> src/lib/oidc-flow.ts L5: * (PKCE 생성 → loopback callback → /token 교환)을 독립 모듈로. login.ts 는 athsra 고유 셸 L6: * (keyring·config·worker /auth/sso 교환·master pw)만 유지. 동작·출력·exit code 보존 (순수 추출). L7: * ... L10: L11: import { spawn } from 'node:child_process'; L12: import { createHash, randomBytes } from 'node:crypto'; L13: import { readFileSync } from 'node:fs'; L14: import { createServer, type IncomingMessage, type ServerResponse } from 'node:http'; L15: import { errMessage, isRecord } from './err.ts'; ... L96: if (res.ok) { L97: const doc: unknown = await res.json(); L98: if (hasOidcEndpoints(doc)) {
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    src/lib/oidc-flow.tsView on unpkg · L5
    10L11: import { spawn } from 'node:child_process'; L12: import { createHash, randomBytes } from 'node:crypto';
    High
    Child Process

    Package source references child process execution.

    src/lib/oidc-flow.tsView on unpkg · L10
    281const platform = process.platform; L282: // WSL — Linux 플랫폼이지만 xdg-open 이 호스트 브라우저로 연결 안 됨. wslview/powershell 폴백. L283: if (platform === 'linux' && isWsl()) {
    High
    Shell

    Package source references shell execution.

    src/lib/oidc-flow.tsView on unpkg · L281
    src/commands/login.tsView file
    82const existing = loadConfig(); L83: const envUrl = process.env.ATHSRA_WORKER_URL; L84: const workerUrl = ... L86: envUrl ?? L87: (await promptText('Worker URL', 'https://athsra-worker.winterermod.workers.dev')); L88: const machineId = existing?.machineId ?? `${hostname()}-${Date.now().toString(36)}`; L89: ... L127: headers: { 'content-type': 'application/json' }, L128: body: JSON.stringify({ access_token: accessToken, label: machineId }), L129: }); L130: if (!ssoRes.ok) { L131: console.error(`✗ athsra worker SSO failed: ${ssoRes.status} ${await ssoRes.text()}`);
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    src/commands/login.tsView on unpkg · L82

    Findings

    2 Critical3 High3 Medium4 Low
    CriticalReverse Shellsrc/lib/oidc-flow.ts
    CriticalTrigger Reachable Dangerous Capabilitysrc/lib/oidc-flow.ts
    HighChild Processsrc/lib/oidc-flow.ts
    HighShellsrc/lib/oidc-flow.ts
    HighSandbox Evasion Gated Capabilitysrc/commands/login.ts
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings