AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked health-management CLI that talks to its documented backend and stores an auth token for later API calls.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs fmlhealth-cli commands, especially auth login or health data commands.
Impact
Can read/write the user's health-service data when the user provides or obtains a token; no unrelated system data collection or exfiltration found.
Mechanism
Package-aligned authenticated HTTPS API client
Rationale
Static inspection shows the risky primitives are aligned with the documented CLI purpose: authenticated health-service API calls, local token persistence, and opening an OAuth login page. There is no install-time behavior, command-output exfiltration, credential harvesting beyond its own token, or AI-agent control-surface mutation.
Evidence
package.jsonbin/fmlhealth-cli.jsREADME.mdSKILL.md~/.fmlhealth-cli/token.json
Network endpoints3
www.fmlhealth.cn/apiwww.fmlhealth.cn/api/auth/oauth/cli-tokenhealth.clawhelp.me/login.html
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no lifecycle scripts; only bin entrypoint is bin/fmlhealth-cli.js.
- bin/fmlhealth-cli.js network calls target the documented health service www.fmlhealth.cn APIs.
- child_process.execSync is only used inside user-invoked auth login to open a browser to the login URL.
- Token handling is limited to reading env vars/saved token and sending it as Authorization to the service API.
- README.md and SKILL.md describe the same health-management CLI commands implemented by the bin file.
- No eval/vm/native binary loading, install-time execution, persistence, broad file harvesting, or unrelated exfiltration found.
Behavioral surface
ChildProcessEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcebin/fmlhealth-cli.jsView file
20L21: const http = require('https');
L22: const fs = require('fs');
...
L26: const BASE_URL = 'https://www.fmlhealth.cn';
L27: const CONFIG_DIR = path.join(os.homedir(), '.fmlhealth-cli');
L28: const TOKEN_FILE = path.join(CONFIG_DIR, 'token.json');
...
L32: if (fs.existsSync(TOKEN_FILE)) {
L33: return JSON.parse(fs.readFileSync(TOKEN_FILE, 'utf8')).token;
L34: }
...
L46: if (saved) return saved;
L47: const env = process.env.YJ_API_KEY || process.env.MCP_API_KEY
L48: if (env) { saveToken(env); return env; }
Critical
Command Output Exfiltration
Source executes local commands and sends command output to an external endpoint.
bin/fmlhealth-cli.jsView on unpkg · L2020Trigger-reachable chain: manifest.bin -> bin/fmlhealth-cli.js
L20:
L21: const http = require('https');
L22: const fs = require('fs');
...
L26: const BASE_URL = 'https://www.fmlhealth.cn';
L27: const CONFIG_DIR = path.join(os.homedir(), '.fmlhealth-cli');
L28: const TOKEN_FILE = path.join(CONFIG_DIR, 'token.json');
...
L32: if (fs.existsSync(TOKEN_FILE)) {
L33: return JSON.parse(fs.readFileSync(TOKEN_FILE, 'utf8')).token;
L34: }
...
L46: if (saved) return saved;
L47: const env = process.env.YJ_API_KEY || process.env.MCP_API_KEY
L48: if (env) { saveToken(env); return env; }
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
bin/fmlhealth-cli.jsView on unpkg · L20206const plat = require('os').platform();
L207: if (plat === 'darwin') require('child_process').execSync('open "' + loginUrl + '"');
L208: else if (plat === 'win32') require('child_process').execSync('start "" "' + loginUrl + '"');
High
Child Process
Package source references child process execution.
bin/fmlhealth-cli.jsView on unpkg · L206Findings
2 Critical2 High3 Medium4 Low
CriticalCommand Output Exfiltrationbin/fmlhealth-cli.js
CriticalTrigger Reachable Dangerous Capabilitybin/fmlhealth-cli.js
HighChild Processbin/fmlhealth-cli.js
HighShell
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License