registry  /  @athsra/cli  /  1.2.7

@athsra/cli@1.2.7

athsra CLI — E2EE secret manager on Cloudflare edge. Doppler-style dev UX + zero-knowledge encryption + soft-delete + version history. MIT.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface from static source inspection. The package is a user-invoked E2EE secret-manager CLI with expected network, keyring, MCP, and command-runner features.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs athsra CLI commands such as login, run, or mcp install --apply
Impact
No install-time execution, credential exfiltration, persistence, or unconsented agent control-surface mutation found
Mechanism
package-aligned secret-manager CLI operations
Rationale
Scanner reverse-shell and sandbox-evasion labels are explained by legitimate OIDC browser launch, localhost callback, explicit command execution, and environment-configured login flows. MCP registration and privileged tools are explicit, guarded product features rather than lifecycle-triggered hijacking.
Evidence
package.jsonsrc/index.tssrc/lib/oidc-flow.tssrc/commands/login.tssrc/commands/run.tssrc/commands/mcp.tssrc/lib/mcp-register.tssrc/lib/config.ts~/.athsra/config.json~/.claude.json.mcp.json.cursor/mcp.json.vscode/mcp.json
Network endpoints5
login.modfolio.io/.well-known/openid-configurationconnect.modfolio.ioathsra-worker.winterermod.workers.devapi.cloudflare.com/client/v4registry.npmjs.org/@athsra/cli/latest

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts; bin/main is user-invoked src/index.ts.
    • src/lib/oidc-flow.ts child_process use only opens a browser for OIDC PKCE, not reverse shell/socket piping.
    • src/commands/run.ts spawns only the user-supplied command after explicit `athsra run ... -- <cmd>`.
    • src/commands/mcp.ts install is user-invoked, dry-run by default, and requires --apply to write MCP config.
    • MCP write/admin/value tools are gated by ATHSRA_MCP_WRITE, ATHSRA_MCP_ADMIN, or ATHSRA_MCP_READ_VALUES.
    • src/lib/config.ts restricts worker URLs to https or localhost before token use.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 69 file(s), 494 KB of source, external domains: 127.0.0.1, api.cloudflare.com, athsra-worker.winterermod.workers.dev, athsra.com, connect.modfolio.io, github.com, login.modfolio.io, registry.npmjs.org

    Source & flagged code

    5 flagged · loading source
    src/lib/oidc-flow.tsView file
    5* (PKCE 생성 → loopback callback → /token 교환)을 독립 모듈로. login.ts 는 athsra 고유 셸 L6: * (keyring·config·worker /auth/sso 교환·master pw)만 유지. 동작·출력·exit code 보존 (순수 추출). L7: * ... L10: L11: import { spawn } from 'node:child_process'; L12: import { createHash, randomBytes } from 'node:crypto'; L13: import { readFileSync } from 'node:fs'; L14: import { createServer, type IncomingMessage, type ServerResponse } from 'node:http'; L15: import { errMessage, isRecord } from './err.ts'; ... L96: if (res.ok) { L97: const doc: unknown = await res.json(); L98: if (hasOidcEndpoints(doc)) {
    Critical
    Reverse Shell

    Source matches reverse-shell style process and socket wiring.

    src/lib/oidc-flow.tsView on unpkg · L5
    5Trigger-reachable chain: manifest.main -> src/index.ts -> src/commands/login.ts -> src/lib/oidc-flow.ts L5: * (PKCE 생성 → loopback callback → /token 교환)을 독립 모듈로. login.ts 는 athsra 고유 셸 L6: * (keyring·config·worker /auth/sso 교환·master pw)만 유지. 동작·출력·exit code 보존 (순수 추출). L7: * ... L10: L11: import { spawn } from 'node:child_process'; L12: import { createHash, randomBytes } from 'node:crypto'; L13: import { readFileSync } from 'node:fs'; L14: import { createServer, type IncomingMessage, type ServerResponse } from 'node:http'; L15: import { errMessage, isRecord } from './err.ts'; ... L96: if (res.ok) { L97: const doc: unknown = await res.json(); L98: if (hasOidcEndpoints(doc)) {
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    src/lib/oidc-flow.tsView on unpkg · L5
    10L11: import { spawn } from 'node:child_process'; L12: import { createHash, randomBytes } from 'node:crypto';
    High
    Child Process

    Package source references child process execution.

    src/lib/oidc-flow.tsView on unpkg · L10
    281const platform = process.platform; L282: // WSL — Linux 플랫폼이지만 xdg-open 이 호스트 브라우저로 연결 안 됨. wslview/powershell 폴백. L283: if (platform === 'linux' && isWsl()) {
    High
    Shell

    Package source references shell execution.

    src/lib/oidc-flow.tsView on unpkg · L281
    src/commands/login.tsView file
    82const existing = loadConfig(); L83: const envUrl = process.env.ATHSRA_WORKER_URL; L84: const workerUrl = ... L86: envUrl ?? L87: (await promptText('Worker URL', 'https://athsra-worker.winterermod.workers.dev')); L88: const machineId = existing?.machineId ?? `${hostname()}-${Date.now().toString(36)}`; L89: ... L127: headers: { 'content-type': 'application/json' }, L128: body: JSON.stringify({ access_token: accessToken, label: machineId }), L129: }); L130: if (!ssoRes.ok) { L131: console.error(`✗ athsra worker SSO failed: ${ssoRes.status} ${await ssoRes.text()}`);
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    src/commands/login.tsView on unpkg · L82

    Findings

    2 Critical3 High3 Medium4 Low
    CriticalReverse Shellsrc/lib/oidc-flow.ts
    CriticalTrigger Reachable Dangerous Capabilitysrc/lib/oidc-flow.ts
    HighChild Processsrc/lib/oidc-flow.ts
    HighShellsrc/lib/oidc-flow.ts
    HighSandbox Evasion Gated Capabilitysrc/commands/login.ts
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings