AI Security Review
scanned 17h ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a Flakes CLI that performs network, credential storage, host setup, and subprocess actions only through explicit commands aligned with its stated runtime tooling purpose.
Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes `flakes` subcommands such as auth login, host setup/run, server, tasks, or artifacts.
Impact
User-authorized API calls to Flakes control plane and local config/credential file creation; no unconsented install-time mutation or exfiltration observed.
Mechanism
package-aligned CLI control-plane and host-agent management
Rationale
Static source inspection shows suspicious primitives are CLI features: authenticated API requests, local credential/config persistence, harness validation, and user-requested subprocesses. There are no lifecycle hooks, import-time exfiltration, stealth persistence, destructive actions, or unconsented AI-agent control-surface writes.
Evidence
package.jsondist/index.jsdist/io.jsdist/http.jsdist/auth-store.jsdist/commands/auth.jsdist/commands/host.jsdist/commands/server.jsdist/commands/harness.js~/.config/flakes/auth.json<user-specified host config><user-specified host credential file><user-specified state dir>.env
Network endpoints2
flakes.devherdr.dev/docs
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/commands/host.js can write host config/credential files during explicit `flakes host setup`.
- dist/index.js loads local `.env` only when invoked as the CLI bin.
- dist/index.js spawns OS URL opener for auth/login URLs; host terminal can spawn ssh only with explicit `--exec`.
- dist/io.js uses hosted API default https://flakes.dev and CLI commands send bearer tokens there.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- dist/index.js only dispatches user-invoked CLI subcommands; no import-time network or filesystem mutation beyond bin execution path.
- dist/auth-store.js stores CLI credentials under user config with 0600-style permissions; no harvesting loop or broad secret scan seen.
- dist/commands/server.js redacts database URL credentials in output and uses env token hash key only for local server config.
- dist/commands/harness.js dynamic require is for resolving @flakes/harness-sdk during explicit harness validation/init.
- No prompt injection, persistence outside package-aligned config, destructive behavior, or remote payload execution found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/commands/server.jsView file
141patternName = generic_password
severity = medium
line = 141
matchedText = url.pass...ed";
Medium
Secret Pattern
Package contains a possible secret pattern.
dist/commands/server.jsView on unpkg · L141dist/commands/harness.jsView file
343const specifier = stringFromModuleSpecifier(node.moduleSpecifier);
L344: if (specifier !== undefined && isUnsupportedHarnessImport(specifier)) {
L345: diagnostics.push(diagnosticAtNode(sourceFile, node.moduleSpecifier, {
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/commands/harness.jsView on unpkg · L343dist/index.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @baochunli/flakes@0.0.7
matchedIdentity = npm:QGJhb2NodW5saS9mbGFrZXM:0.0.7
similarity = 0.838
summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkgFindings
1 High4 Medium4 Low
HighPrevious Version Dangerous Deltadist/index.js
MediumSecret Patterndist/commands/server.js
MediumDynamic Requiredist/commands/harness.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License