AI Security Review
scanned 55m ago · by lpm-firewall-aiNo confirmed package-originated malicious attack surface. The CLI performs project scaffolding, builds, local runs, and optional user-invoked deployment actions.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs an atlasflow subcommand such as init, run, build, eval, or deploy.
Impact
User-selected commands can modify the selected workspace or deploy through Wrangler; no credential harvesting or unsolicited exfiltration is established.
Mechanism
Explicit CLI orchestration of user workspace files, local agent bundles, and configured services.
Rationale
Direct inspection shows a user-invoked agent-development CLI with no install-time execution and no package-owned exfiltration endpoint. Scanner credential/network signals correspond to sensitive-file rejection, configurable runtime credentials, and explicit user commands.
Evidence
package.jsonbin/atlasflow.jsdist/index.jsREADME.mdschemas/agent-config.v1.schema.json
Decision evidence
public snapshotAI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks.
- bin/atlasflow.js only invokes main() after the user runs atlasflow.
- dist/index.js excludes .env, .npmrc, .ssh, .aws, keys, and credentials from packaged agent content.
- Network fetches target localhost, user-supplied --server/OpenAPI URLs, or documented optional deployment configuration.
- spawn is limited to explicit atlasflow deploy invoking the configured Wrangler command.
- Dynamic imports load generated workspace bundles or the declared AtlasFlow runtime during explicit commands.
Behavioral surface
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
3 flagged · loading sourcedist/index.jsView file
1// src/commands.ts
L2: import { spawn } from "child_process";
L3: import * as fs5 from "fs";
...
L227: when_to_use: sk[redacted],
L228: body: skill.body,
L229: allowedTools: sk[redacted],
...
L612: kind: isTextContent(content) ? "text" : "binary",
L613: encoding: "base64",
L614: content: content.toString("base64")
...
L1195: const persistence = await persistenceFromEnv();
L1196: const completionDestination = runCompletionDestinationFromEnv(process.env);
L1197: if (completionDestination && !persistence) {
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/index.jsView on unpkg · L11Trigger-reachable chain: manifest.exports -> dist/index.js
L1: // src/commands.ts
L2: import { spawn } from "child_process";
L3: import * as fs5 from "fs";
...
L227: when_to_use: sk[redacted],
L228: body: skill.body,
L229: allowedTools: sk[redacted],
...
L612: kind: isTextContent(content) ? "text" : "binary",
L613: encoding: "base64",
L614: content: content.toString("base64")
...
L1195: const persistence = await persistenceFromEnv();
L1196: const completionDestination = runCompletionDestinationFromEnv(process.env);
L1197: if (completionDestination && !persistence) {
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L11284if (!url) return undefined;
L1285: const { postgres } = await import("@cybernetyx1/atlasflow-postgres");
L1286: const adapter = postgres(url);
Medium
Dynamic Require
Package source references dynamic require/import behavior.
dist/index.jsView on unpkg · L1284Findings
2 Critical4 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License