registry  /  @cybernetyx1/atlasflow-cli  /  0.1.4

@cybernetyx1/atlasflow-cli@0.1.4

Command-line tool for authoring, inspecting, building, and deploying AtlasFlow agents.

AI Security Review

scanned 6h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Network requests are limited to explicit CLI operations against a user-selected server or OpenAPI URL, and project code execution follows explicit build/run/eval commands.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes an AtlasFlow CLI command such as `run`, `eval`, `logs`, `deploy`, or `add`.
Impact
The CLI can execute user project code and deploy through Wrangler as intended, but source inspection found no unsolicited credential collection, exfiltration, or persistence.
Mechanism
Explicit project scaffolding, bundling, local imports, and user-directed service requests.
Rationale
The scanner's credential-exfiltration signal conflates documented or user-directed API authentication with package behavior. Direct inspection found no install-time execution, secret harvesting, remote payload loading, destructive action, or foreign agent-control mutation.
Evidence
package.jsonbin/atlasflow.jsdist/index.jsschemas/agent-config.v1.schema.json

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/index.js` exposes explicit CLI commands that can bundle and import a user project.
  • `dist/index.js` sends `--api-key` or `ATLASFLOW_API_KEY` only with user-invoked `eval`/`logs` requests to the selected server.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • `bin/atlasflow.js` only calls exported `main()` after the user invokes the CLI.
  • `dist/index.js` command dispatch requires explicit `run`, `eval`, `logs`, `deploy`, or similar commands.
  • Dynamic imports in `dist/index.js` load generated local project bundles or declared AtlasFlow modules, not remote code.
  • No reads of `.ssh`, `.aws`, `.npmrc`, or credential files were found; export/import logic explicitly rejects sensitive paths.
  • No foreign AI-agent control-surface paths or unconsented persistence mechanism were found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 310 KB of source, external domains: api.example.com, api.linear.app, api.notion.com, api.pagerduty.com, app.example, brain.example.com, gitlab.com, mcp.example.com, sentry.io, your-domain.atlassian.net

Source & flagged code

3 flagged · loading source
dist/index.jsView file
1// src/commands.ts L2: import { spawn } from "child_process"; L3: import * as fs5 from "fs"; ... L227: when_to_use: sk[redacted], L228: body: skill.body, L229: allowedTools: sk[redacted], ... L612: kind: isTextContent(content) ? "text" : "binary", L613: encoding: "base64", L614: content: content.toString("base64") ... L1195: const persistence = await persistenceFromEnv(); L1196: const completionDestination = runCompletionDestinationFromEnv(process.env); L1197: if (completionDestination && !persistence) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L1
1Trigger-reachable chain: manifest.exports -> dist/index.js L1: // src/commands.ts L2: import { spawn } from "child_process"; L3: import * as fs5 from "fs"; ... L227: when_to_use: sk[redacted], L228: body: skill.body, L229: allowedTools: sk[redacted], ... L612: kind: isTextContent(content) ? "text" : "binary", L613: encoding: "base64", L614: content: content.toString("base64") ... L1195: const persistence = await persistenceFromEnv(); L1196: const completionDestination = runCompletionDestinationFromEnv(process.env); L1197: if (completionDestination && !persistence) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L1
1284if (!url) return undefined; L1285: const { postgres } = await import("@cybernetyx1/atlasflow-postgres"); L1286: const adapter = postgres(url);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1284

Findings

2 Critical4 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License