registry  /  @baochunli/flakes  /  0.0.6

@baochunli/flakes@0.0.6

Command-line interface for the Flakes distributed runtime.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Flakes distributed-runtime CLI with user-invoked auth, host, task, artifact, server, and harness commands.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs flakes CLI commands such as auth login, host setup/run, tasks, artifacts, or server.
Impact
User-requested interaction with Flakes control plane and local runtime files; no unconsented install-time behavior found.
Mechanism
Package-aligned CLI network client and local config/credential writer
Rationale
Static inspection shows a user-invoked CLI for a distributed runtime; suspicious primitives are aligned with documented commands and guarded by explicit arguments/config. There are no lifecycle hooks, import-time side effects, exfiltration, persistence, or foreign AI-agent control-surface mutations.
Evidence
package.jsondist/index.jsdist/io.jsdist/http.jsdist/auth-store.jsdist/commands/auth.jsdist/commands/host.jsdist/host-runner.jsdist/host-transport.jsdist/commands/tasks.jsdist/commands/artifacts.jsdist/commands/server.js.env~/.config/flakes/auth.json~/.config/flakes/host.toml~/.config/flakes/host.credential~/.config/flakes/stateuser-specified harness/task/artifact/config paths
Network endpoints3
flakes.devwss://flakes.dev/v1/hosts/{hostId}/stream127.0.0.1

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle scripts; only bin/main dist/index.js.
    • dist/index.js dispatches user-invoked CLI commands and only loads .env at bin startup.
    • Network calls in dist/http.js and dist/commands/auth.js target the package API default https://flakes.dev with bearer auth.
    • Credential storage in dist/auth-store.js is explicit auth login state under .config/flakes/auth.json with 0600 writes.
    • Host setup/run in dist/commands/host.js and dist/host-runner.js are explicit CLI workflows using user config and validated HTTPS/WebSocket control-plane messages.
    • No AI-agent control-surface writes, shell startup persistence, broad home mutation, credential harvesting, or install/import-time execution found.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 26 file(s), 256 KB of source, external domains: 127.0.0.1, flakes.dev

    Source & flagged code

    2 flagged · loading source
    dist/commands/server.jsView file
    137patternName = generic_password severity = medium line = 137 matchedText = url.pass...ed";
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/commands/server.jsView on unpkg · L137
    dist/commands/harness.jsView file
    343const specifier = stringFromModuleSpecifier(node.moduleSpecifier); L344: if (specifier !== undefined && isUnsupportedHarnessImport(specifier)) { L345: diagnostics.push(diagnosticAtNode(sourceFile, node.moduleSpecifier, {
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/commands/harness.jsView on unpkg · L343

    Findings

    4 Medium4 Low
    MediumSecret Patterndist/commands/server.js
    MediumDynamic Requiredist/commands/harness.js
    MediumNetwork
    MediumEnvironment Vars
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License