registry  /  @cybernetyx1/atlasflow-cli  /  0.1.7

@cybernetyx1/atlasflow-cli@0.1.7

Command-line tool for authoring, inspecting, building, and deploying AtlasFlow agents.

AI Security Review

scanned 55m ago · by lpm-firewall-ai

No confirmed package-originated malicious attack surface. The CLI performs project scaffolding, builds, local runs, and optional user-invoked deployment actions.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs an atlasflow subcommand such as init, run, build, eval, or deploy.
Impact
User-selected commands can modify the selected workspace or deploy through Wrangler; no credential harvesting or unsolicited exfiltration is established.
Mechanism
Explicit CLI orchestration of user workspace files, local agent bundles, and configured services.
Rationale
Direct inspection shows a user-invoked agent-development CLI with no install-time execution and no package-owned exfiltration endpoint. Scanner credential/network signals correspond to sensitive-file rejection, configurable runtime credentials, and explicit user commands.
Evidence
package.jsonbin/atlasflow.jsdist/index.jsREADME.mdschemas/agent-config.v1.schema.json

Decision evidence

public snapshot
AI called this Clean at 95.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks.
    • bin/atlasflow.js only invokes main() after the user runs atlasflow.
    • dist/index.js excludes .env, .npmrc, .ssh, .aws, keys, and credentials from packaged agent content.
    • Network fetches target localhost, user-supplied --server/OpenAPI URLs, or documented optional deployment configuration.
    • spawn is limited to explicit atlasflow deploy invoking the configured Wrangler command.
    • Dynamic imports load generated workspace bundles or the declared AtlasFlow runtime during explicit commands.
    Behavioral surface
    Source
    ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 2 file(s), 311 KB of source, external domains: api.example.com, api.linear.app, api.notion.com, api.pagerduty.com, app.example, brain.example.com, gitlab.com, mcp.example.com, sentry.io, your-domain.atlassian.net

    Source & flagged code

    3 flagged · loading source
    dist/index.jsView file
    1// src/commands.ts L2: import { spawn } from "child_process"; L3: import * as fs5 from "fs"; ... L227: when_to_use: sk[redacted], L228: body: skill.body, L229: allowedTools: sk[redacted], ... L612: kind: isTextContent(content) ? "text" : "binary", L613: encoding: "base64", L614: content: content.toString("base64") ... L1195: const persistence = await persistenceFromEnv(); L1196: const completionDestination = runCompletionDestinationFromEnv(process.env); L1197: if (completionDestination && !persistence) {
    Critical
    Credential Exfiltration

    Source appears to send environment or credential material to an external endpoint.

    dist/index.jsView on unpkg · L1
    1Trigger-reachable chain: manifest.exports -> dist/index.js L1: // src/commands.ts L2: import { spawn } from "child_process"; L3: import * as fs5 from "fs"; ... L227: when_to_use: sk[redacted], L228: body: skill.body, L229: allowedTools: sk[redacted], ... L612: kind: isTextContent(content) ? "text" : "binary", L613: encoding: "base64", L614: content: content.toString("base64") ... L1195: const persistence = await persistenceFromEnv(); L1196: const completionDestination = runCompletionDestinationFromEnv(process.env); L1197: if (completionDestination && !persistence) {
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/index.jsView on unpkg · L1
    1284if (!url) return undefined; L1285: const { postgres } = await import("@cybernetyx1/atlasflow-postgres"); L1286: const adapter = postgres(url);
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/index.jsView on unpkg · L1284

    Findings

    2 Critical4 Medium5 Low
    CriticalCredential Exfiltrationdist/index.js
    CriticalTrigger Reachable Dangerous Capabilitydist/index.js
    MediumDynamic Requiredist/index.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License