registry  /  @baochunli/flakes  /  0.0.8

@baochunli/flakes@0.0.8

Command-line interface for the Flakes distributed runtime.

AI Security Review

scanned 17h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a Flakes CLI that performs network, credential storage, host setup, and subprocess actions only through explicit commands aligned with its stated runtime tooling purpose.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes `flakes` subcommands such as auth login, host setup/run, server, tasks, or artifacts.
Impact
User-authorized API calls to Flakes control plane and local config/credential file creation; no unconsented install-time mutation or exfiltration observed.
Mechanism
package-aligned CLI control-plane and host-agent management
Rationale
Static source inspection shows suspicious primitives are CLI features: authenticated API requests, local credential/config persistence, harness validation, and user-requested subprocesses. There are no lifecycle hooks, import-time exfiltration, stealth persistence, destructive actions, or unconsented AI-agent control-surface writes.
Evidence
package.jsondist/index.jsdist/io.jsdist/http.jsdist/auth-store.jsdist/commands/auth.jsdist/commands/host.jsdist/commands/server.jsdist/commands/harness.js~/.config/flakes/auth.json<user-specified host config><user-specified host credential file><user-specified state dir>.env
Network endpoints2
flakes.devherdr.dev/docs

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/commands/host.js can write host config/credential files during explicit `flakes host setup`.
  • dist/index.js loads local `.env` only when invoked as the CLI bin.
  • dist/index.js spawns OS URL opener for auth/login URLs; host terminal can spawn ssh only with explicit `--exec`.
  • dist/io.js uses hosted API default https://flakes.dev and CLI commands send bearer tokens there.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts.
  • dist/index.js only dispatches user-invoked CLI subcommands; no import-time network or filesystem mutation beyond bin execution path.
  • dist/auth-store.js stores CLI credentials under user config with 0600-style permissions; no harvesting loop or broad secret scan seen.
  • dist/commands/server.js redacts database URL credentials in output and uses env token hash key only for local server config.
  • dist/commands/harness.js dynamic require is for resolving @flakes/harness-sdk during explicit harness validation/init.
  • No prompt injection, persistence outside package-aligned config, destructive behavior, or remote payload execution found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 38 file(s), 509 KB of source, external domains: 127.0.0.1, flakes.dev, herdr.dev

Source & flagged code

3 flagged · loading source
dist/commands/server.jsView file
141patternName = generic_password severity = medium line = 141 matchedText = url.pass...ed";
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/commands/server.jsView on unpkg · L141
dist/commands/harness.jsView file
343const specifier = stringFromModuleSpecifier(node.moduleSpecifier); L344: if (specifier !== undefined && isUnsupportedHarnessImport(specifier)) { L345: diagnostics.push(diagnosticAtNode(sourceFile, node.moduleSpecifier, {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/commands/harness.jsView on unpkg · L343
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @baochunli/flakes@0.0.7 matchedIdentity = npm:QGJhb2NodW5saS9mbGFrZXM:0.0.7 similarity = 0.838 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

1 High4 Medium4 Low
HighPrevious Version Dangerous Deltadist/index.js
MediumSecret Patterndist/commands/server.js
MediumDynamic Requiredist/commands/harness.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License