AI Security Review
scanned 2h ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a Flakes CLI whose network, file, and process actions are tied to explicit user commands.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs flakes CLI subcommands such as auth, host, server, tasks, artifacts, harness, up, or down.
Impact
Expected CLI behavior: authenticate to Flakes, manage runs/tasks/hosts/artifacts, write local config or output files when requested.
Mechanism
User-invoked control-plane CLI operations
Rationale
Static inspection found a user-invoked CLI with package-aligned network calls and local credential/config handling, but no install-time execution, stealth persistence, credential harvesting, foreign AI-agent control mutation, or remote payload execution. Scanner signals map to expected CLI primitives rather than a malicious chain.
Evidence
package.jsondist/index.jsdist/io.jsdist/http.jsdist/credentials.jsdist/auth-store.jsdist/commands/auth.jsdist/commands/host.jsdist/commands/server.jsdist/commands/artifacts.jsdist/commands/harness.jsdist/commands/tasks.js~/.config/flakes/auth.json$XDG_CONFIG_HOME/flakes/auth.jsonuser-specified host config pathuser-specified host credential fileuser-specified artifact output pathuser-specified harness output file
Network endpoints6
flakes.devflakes.dev/console/api/auth/device/codeflakes.dev/console/api/auth/device/tokenflakes.dev/console/api/auth/get-sessionflakes.dev/v1/projectsflakes.dev/v1/artifacts
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- CLI can write user-requested files such as auth store, host config/credentials, artifacts, harness templates, and workpads.
- CLI uses child_process for browser open, git/herdr/host runtime commands, all behind explicit subcommands.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- dist/index.js only dispatches explicit CLI subcommands; import-time side effect is limited to bin entry detection.
- dist/io.js hardcodes package-aligned API origin https://flakes.dev.
- dist/http.js sends authenticated requests only to paths composed under the configured/default API URL.
- dist/auth-store.js stores login tokens locally under XDG/home with 0600 files, not exfiltration.
- dist/commands/server.js redacts database URLs and uses env/config for local server startup.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/commands/server.jsView file
141patternName = generic_password
severity = medium
line = 141
matchedText = url.pass...ed";
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/commands/server.jsView on unpkg · L141dist/commands/harness.jsView file
343const specifier = stringFromModuleSpecifier(node.moduleSpecifier);
L344: if (specifier !== undefined && isUnsupportedHarnessImport(specifier)) {
L345: diagnostics.push(diagnosticAtNode(sourceFile, node.moduleSpecifier, {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/commands/harness.jsView on unpkg · L343Findings
4 Medium4 Low
MediumSecret Patterndist/commands/server.js
MediumDynamic Requiredist/commands/harness.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License