registry  /  @baochunli/flakes  /  0.0.11

@baochunli/flakes@0.0.11

Command-line interface for the Flakes distributed runtime.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a Flakes CLI whose network, file, and process actions are tied to explicit user commands.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs flakes CLI subcommands such as auth, host, server, tasks, artifacts, harness, up, or down.
Impact
Expected CLI behavior: authenticate to Flakes, manage runs/tasks/hosts/artifacts, write local config or output files when requested.
Mechanism
User-invoked control-plane CLI operations
Rationale
Static inspection found a user-invoked CLI with package-aligned network calls and local credential/config handling, but no install-time execution, stealth persistence, credential harvesting, foreign AI-agent control mutation, or remote payload execution. Scanner signals map to expected CLI primitives rather than a malicious chain.
Evidence
package.jsondist/index.jsdist/io.jsdist/http.jsdist/credentials.jsdist/auth-store.jsdist/commands/auth.jsdist/commands/host.jsdist/commands/server.jsdist/commands/artifacts.jsdist/commands/harness.jsdist/commands/tasks.js~/.config/flakes/auth.json$XDG_CONFIG_HOME/flakes/auth.jsonuser-specified host config pathuser-specified host credential fileuser-specified artifact output pathuser-specified harness output file
Network endpoints6
flakes.devflakes.dev/console/api/auth/device/codeflakes.dev/console/api/auth/device/tokenflakes.dev/console/api/auth/get-sessionflakes.dev/v1/projectsflakes.dev/v1/artifacts

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • CLI can write user-requested files such as auth store, host config/credentials, artifacts, harness templates, and workpads.
  • CLI uses child_process for browser open, git/herdr/host runtime commands, all behind explicit subcommands.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • dist/index.js only dispatches explicit CLI subcommands; import-time side effect is limited to bin entry detection.
  • dist/io.js hardcodes package-aligned API origin https://flakes.dev.
  • dist/http.js sends authenticated requests only to paths composed under the configured/default API URL.
  • dist/auth-store.js stores login tokens locally under XDG/home with 0600 files, not exfiltration.
  • dist/commands/server.js redacts database URLs and uses env/config for local server startup.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 39 file(s), 517 KB of source, external domains: 127.0.0.1, flakes.dev, herdr.dev

Source & flagged code

2 flagged · loading source
dist/commands/server.jsView file
141patternName = generic_password severity = medium line = 141 matchedText = url.pass...ed";
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/commands/server.jsView on unpkg · L141
dist/commands/harness.jsView file
343const specifier = stringFromModuleSpecifier(node.moduleSpecifier); L344: if (specifier !== undefined && isUnsupportedHarnessImport(specifier)) { L345: diagnostics.push(diagnosticAtNode(sourceFile, node.moduleSpecifier, {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/commands/harness.jsView on unpkg · L343

Findings

4 Medium4 Low
MediumSecret Patterndist/commands/server.js
MediumDynamic Requiredist/commands/harness.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License