AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a user-invoked health-management CLI with service API calls, auth-token persistence, and browser-open login flow.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs fmlhealth-cli commands such as auth login, members, tests, test-add, or analyze.
Impact
Stores an auth token under the user's home directory and sends authenticated API requests to the package service; no confirmed exfiltration or hidden execution.
Mechanism
User-invoked HTTPS API client with local token persistence
Rationale
Source inspection does not support the scanner claim that command output is exfiltrated: the only shell use opens a browser for OAuth login and ignores output. The token storage and service API traffic are package-aligned and user-invoked, with no lifecycle execution, persistence, destructive behavior, or credential harvesting found.
Evidence
package.jsonbin/fmlhealth-cli.jsSKILL.md~/.fmlhealth-cli/token.json
Network endpoints3
www.fmlhealth.cnwww.fmlhealth.cn/api/auth/oauth/cli-tokenhealth.clawhelp.me/login.html
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- bin/fmlhealth-cli.js sends authenticated HTTPS requests to www.fmlhealth.cn.
- bin/fmlhealth-cli.js reads YJ_API_KEY/MCP_API_KEY and persists it as a CLI auth token.
- bin/fmlhealth-cli.js uses child_process.execSync to open the auth login URL.
- SKILL.md instructs AI agents to use fmlhealth-cli for health-data tasks.
Evidence against
- package.json has no lifecycle scripts; execution is via user-invoked bin only.
- child_process is limited to open/start/xdg-open for a constructed login URL, not arbitrary command execution or output capture.
- No code harvests shell output, environment dumps, project files, credentials, or agent config files.
- Network traffic is aligned with declared family-health CLI functions and a single service host.
- SKILL.md is shipped as documentation only; no install-time write or control-surface mutation is present.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcebin/fmlhealth-cli.jsView file
19L20: const http = require('https');
L21: const fs = require('fs');
...
L25: const BASE_URL = 'https://www.fmlhealth.cn';
L26: const CONFIG_DIR = path.join(os.homedir(), '.fmlhealth-cli');
L27: const TOKEN_FILE = path.join(CONFIG_DIR, 'token.json');
...
L31: if (fs.existsSync(TOKEN_FILE)) {
L32: return JSON.parse(fs.readFileSync(TOKEN_FILE, 'utf8')).token;
L33: }
...
L45: if (saved) return saved;
L46: const env = process.env.YJ_API_KEY || process.env.MCP_API_KEY
L47: if (env) { saveToken(env); return env; }
Critical
Command Output Exfiltration
Source executes local commands and sends command output to an external endpoint.
bin/fmlhealth-cli.jsView on unpkg · L1919Trigger-reachable chain: manifest.bin -> bin/fmlhealth-cli.js
L19:
L20: const http = require('https');
L21: const fs = require('fs');
...
L25: const BASE_URL = 'https://www.fmlhealth.cn';
L26: const CONFIG_DIR = path.join(os.homedir(), '.fmlhealth-cli');
L27: const TOKEN_FILE = path.join(CONFIG_DIR, 'token.json');
...
L31: if (fs.existsSync(TOKEN_FILE)) {
L32: return JSON.parse(fs.readFileSync(TOKEN_FILE, 'utf8')).token;
L33: }
...
L45: if (saved) return saved;
L46: const env = process.env.YJ_API_KEY || process.env.MCP_API_KEY
L47: if (env) { saveToken(env); return env; }
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/fmlhealth-cli.jsView on unpkg · L19207const plat = require('os').platform();
L208: if (plat === 'darwin') require('child_process').execSync('open "' + loginUrl + '"');
L209: else if (plat === 'win32') require('child_process').execSync('start "" "' + loginUrl + '"');
High
Child Process
Package source references child process execution.
bin/fmlhealth-cli.jsView on unpkg · L207Findings
2 Critical2 High3 Medium4 Low
CriticalCommand Output Exfiltrationbin/fmlhealth-cli.js
CriticalTrigger Reachable Dangerous Capabilitybin/fmlhealth-cli.js
HighChild Processbin/fmlhealth-cli.js
HighShell
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License