registry  /  @convertr/cli  /  2.0.2

@convertr/cli@2.0.2

Convertr CLI — theme development tool

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Convertr theme CLI with user-invoked auth, git cache, build, push/pull, and local dev server commands; suspicious primitives are aligned with those features.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit user CLI commands such as cvtr login, cvtr theme init/run/push/pull/status/diff
Impact
Expected theme development workflow; command-injection hardening concerns exist around interpolated git args but no evidence of malicious intent or unconsented execution.
Mechanism
User-invoked Auth0 OAuth, git operations, theme file copy/build, and local server launch
Rationale
Static inspection shows a legitimate theme-development CLI; the network, token, filesystem, and child_process usage is activated by user commands and matches the package purpose. There are shell interpolation risks in git helper calls, but no concrete malicious chain, install-time execution, exfiltration, or persistence was found.
Evidence
package.jsonindex.jscommands/auth.jscommands/theme.jslib/auth.jslib/config.jslib/git.jslib/storefront.jslib/version-check.js~/.cvtr/config.json~/.cvtr/themes-cache~/.cvtr/storefront-cachetheme-config.jsontemplates/*.liquidcomponents/*.liquidincs/*.liquidcss/*.cssjs/*.js
Network endpoints5
convertr-commerce.us.auth0.com/oauth/device/codeconvertr-commerce.us.auth0.com/oauth/tokenregistry.npmjs.org/@convertr%2Fcli/latestgit@bitbucket.org:convertr/storefront-themes.gitgit@bitbucket.org:convertr/storefront.git

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • lib/git.js wraps execSync git commands and interpolates themeName/message arguments
  • commands/auth.js stores Auth0 tokens in ~/.cvtr/config.json after explicit cvtr login
  • commands/theme.js can run npm install and spawn node server for cloned storefront during explicit cvtr theme run
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts
  • index.js only registers CLI commands and checks npm registry for latest version on invocation
  • Network endpoints are package-aligned: Auth0 login/refresh, npm registry version check, Bitbucket Convertr git remotes
  • No credential harvesting beyond explicit login token storage; no exfiltration to unrelated hosts found
  • File writes are scoped to ~/.cvtr caches/config or current theme project during explicit commands
  • No AI-agent control-surface writes, persistence, destructive install-time behavior, or remote payload execution found
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
Manifest
NoLicense
scanned 11 file(s), 26.8 KB of source, external domains: registry.npmjs.org

Source & flagged code

2 flagged · loading source
lib/git.jsView file
2import os from 'os' L3: import { execSync } from 'child_process' L4: import { dirname, join } from 'path'
High
Child Process

Package source references child process execution.

lib/git.jsView on unpkg · L2
commands/auth.jsView file
55const open = process.platform === 'darwin' ? 'open' : 'xdg-open' L56: execSync(`${open} "${device.verification_uri_complete}"`) L57: } catch (_) {} ... L62: L63: process.stdout.write(chalk.gray('Aguardando autenticação no browser')) L64: ... L69: try { L70: const { data } = await axios.post(`https://${AUTH0_DOMAIN}/oauth/token`, { L71: client_id: AUTH0_CLIENT_ID,
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

commands/auth.jsView on unpkg · L55

Findings

3 High2 Medium3 Low
HighChild Processlib/git.js
HighShell
HighCommand Output Exfiltrationcommands/auth.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowUrl Strings
LowNo License