registry  /  @baochunli/flakes  /  0.0.10

@baochunli/flakes@0.0.10

Command-line interface for the Flakes distributed runtime.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a Flakes CLI that can register a local host agent, persist host credentials/config, connect to flakes.dev, and launch sandbox/worktree processes for assigned work. This is a real agent/runtime capability but is activated by explicit CLI commands, not by npm installation or import.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes commands such as `flakes up`, `flakes host setup`, or `flakes host run`.
Impact
A configured host may run Flakes-assigned work locally via MatchLock/worktree providers; no unconsented install-time execution was found.
Mechanism
first-party distributed runtime host-agent setup and control-plane transport
Rationale
Static inspection shows package-aligned but high-trust host-agent lifecycle behavior: explicit commands persist credentials/config, connect to the Flakes service, and launch local sandbox/worktree processes. Because there are no lifecycle hooks, no import-time execution, no covert exfiltration, and no unconsented broad AI-agent control-surface mutation, this should warn rather than block.
Evidence
package.jsondist/index.jsdist/io.jsdist/http.jsdist/auth-store.jsdist/commands/auth.jsdist/commands/host.jsdist/commands/up.jsdist/host-transport.jsdist/host-runner.jsdist/commands/harness.js.flakes/host/host.toml.flakes/host/host.credential.git/info/exclude~/.config/flakes/auth.json
Network endpoints5
flakes.dev/v1/hosts/setup/v1/hosts/<hostId>/stream/device/code/device/token

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/commands/up.js creates .flakes/host config/credential files and starts a Herdr host-agent pane on explicit `flakes up`.
  • dist/commands/host.js `host run` connects a host runtime to the control plane and can execute provider launches.
  • dist/host-runner.js can spawn MatchLock or worktree sandbox processes for remotely assigned leases.
  • dist/host-transport.js opens an authenticated WebSocket to /v1/hosts/<id>/stream.
  • dist/io.js hardcodes default API origin https://flakes.dev.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • dist/index.js only dispatches CLI commands when invoked as the main module.
  • File writes are tied to explicit user commands such as `flakes up`, `host setup`, `harness init`, and artifact/task fetches.
  • Credentials are written under user-selected or .config/.flakes paths with 0600-style modes; output redacts known sensitive fields.
  • Network requests target the Flakes control-plane API and auth/device-flow routes consistent with package purpose.
  • No evidence of credential harvesting, covert exfiltration, destructive behavior, or broad AI-agent control-surface mutation at install time.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 38 file(s), 515 KB of source, external domains: 127.0.0.1, flakes.dev, herdr.dev

Source & flagged code

3 flagged · loading source
dist/commands/server.jsView file
141patternName = generic_password severity = medium line = 141 matchedText = url.pass...ed";
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/commands/server.jsView on unpkg · L141
dist/commands/harness.jsView file
343const specifier = stringFromModuleSpecifier(node.moduleSpecifier); L344: if (specifier !== undefined && isUnsupportedHarnessImport(specifier)) { L345: diagnostics.push(diagnosticAtNode(sourceFile, node.moduleSpecifier, {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/commands/harness.jsView on unpkg · L343
dist/commands/host.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @baochunli/flakes@0.0.8 matchedIdentity = npm:QGJhb2NodW5saS9mbGFrZXM:0.0.8 similarity = 0.816 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/host.jsView on unpkg

Findings

1 High4 Medium4 Low
HighPrevious Version Dangerous Deltadist/commands/host.js
MediumSecret Patterndist/commands/server.js
MediumDynamic Requiredist/commands/harness.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License