AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Flakes distributed-runtime CLI with user-invoked auth, host, task, artifact, server, and harness commands.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs flakes CLI commands such as auth login, host setup/run, tasks, artifacts, or server.
Impact
User-requested interaction with Flakes control plane and local runtime files; no unconsented install-time behavior found.
Mechanism
Package-aligned CLI network client and local config/credential writer
Rationale
Static inspection shows a user-invoked CLI for a distributed runtime; suspicious primitives are aligned with documented commands and guarded by explicit arguments/config. There are no lifecycle hooks, import-time side effects, exfiltration, persistence, or foreign AI-agent control-surface mutations.
Evidence
package.jsondist/index.jsdist/io.jsdist/http.jsdist/auth-store.jsdist/commands/auth.jsdist/commands/host.jsdist/host-runner.jsdist/host-transport.jsdist/commands/tasks.jsdist/commands/artifacts.jsdist/commands/server.js.env~/.config/flakes/auth.json~/.config/flakes/host.toml~/.config/flakes/host.credential~/.config/flakes/stateuser-specified harness/task/artifact/config paths
Network endpoints3
flakes.devwss://flakes.dev/v1/hosts/{hostId}/stream127.0.0.1
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no lifecycle scripts; only bin/main dist/index.js.
- dist/index.js dispatches user-invoked CLI commands and only loads .env at bin startup.
- Network calls in dist/http.js and dist/commands/auth.js target the package API default https://flakes.dev with bearer auth.
- Credential storage in dist/auth-store.js is explicit auth login state under .config/flakes/auth.json with 0600 writes.
- Host setup/run in dist/commands/host.js and dist/host-runner.js are explicit CLI workflows using user config and validated HTTPS/WebSocket control-plane messages.
- No AI-agent control-surface writes, shell startup persistence, broad home mutation, credential harvesting, or install/import-time execution found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
2 flagged · loading sourcedist/commands/server.jsView file
137patternName = generic_password
severity = medium
line = 137
matchedText = url.pass...ed";
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/commands/server.jsView on unpkg · L137dist/commands/harness.jsView file
343const specifier = stringFromModuleSpecifier(node.moduleSpecifier);
L344: if (specifier !== undefined && isUnsupportedHarnessImport(specifier)) {
L345: diagnostics.push(diagnosticAtNode(sourceFile, node.moduleSpecifier, {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/commands/harness.jsView on unpkg · L343Findings
4 Medium4 Low
MediumSecret Patterndist/commands/server.js
MediumDynamic Requiredist/commands/harness.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License