registry  /  @cybernetyx1/atlasflow-cli  /  0.1.5

@cybernetyx1/atlasflow-cli@0.1.5

Command-line tool for authoring, inspecting, building, and deploying AtlasFlow agents.

AI Security Review

scanned 5h ago · by lpm-firewall-ai

No confirmed package-originated malicious attack surface. Process execution, dynamic imports, file writes, and network access are tied to explicit AtlasFlow CLI commands and the user workspace.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User explicitly runs commands such as build, dev, deploy, logs, import, or connector scaffolding.
Impact
No autonomous install-time execution, credential exfiltration, persistence, or foreign AI-agent control-surface mutation is established.
Mechanism
User-invoked agent workspace scaffolding, build, deployment, and local runtime tooling.
Rationale
The flagged primitives are package-aligned CLI capabilities activated by explicit commands, not autonomous attack behavior. Source inspection found no lifecycle hook or concrete exfiltration, persistence, destructive, or AI-agent-hijack chain.
Evidence
package.jsonbin/atlasflow.jsdist/index.jsREADME.mdschemas/agent-config.v1.schema.jsondist/index.d.ts

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/index.js` dynamically imports user workspace config and generated modules during explicit build/dev/eval commands.
  • `dist/index.js` can spawn Node, Wrangler, Docker, and user-selected sandbox commands only through named CLI workflows.
  • `dist/index.js` reads `ATLASFLOW_API_KEY` only to authenticate the explicit `logs --server` request.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `bin/atlasflow.js` only dispatches user-supplied CLI arguments to `main`.
  • The only direct `fetch` calls in `dist/index.js` target the user-selected logs server, defaulting to localhost.
  • Sensitive workspace files and directories are explicitly excluded or rejected during agent-folder export.
  • No source references to foreign AI-agent configuration paths, VCS hooks, credential harvesting, or unsolicited external endpoints were found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 310 KB of source, external domains: api.example.com, api.linear.app, api.notion.com, api.pagerduty.com, app.example, brain.example.com, gitlab.com, mcp.example.com, sentry.io, your-domain.atlassian.net

Source & flagged code

3 flagged · loading source
dist/index.jsView file
1// src/commands.ts L2: import { spawn } from "child_process"; L3: import * as fs5 from "fs"; ... L227: when_to_use: sk[redacted], L228: body: skill.body, L229: allowedTools: sk[redacted], ... L612: kind: isTextContent(content) ? "text" : "binary", L613: encoding: "base64", L614: content: content.toString("base64") ... L1195: const persistence = await persistenceFromEnv(); L1196: const completionDestination = runCompletionDestinationFromEnv(process.env); L1197: if (completionDestination && !persistence) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L1
1Trigger-reachable chain: manifest.exports -> dist/index.js L1: // src/commands.ts L2: import { spawn } from "child_process"; L3: import * as fs5 from "fs"; ... L227: when_to_use: sk[redacted], L228: body: skill.body, L229: allowedTools: sk[redacted], ... L612: kind: isTextContent(content) ? "text" : "binary", L613: encoding: "base64", L614: content: content.toString("base64") ... L1195: const persistence = await persistenceFromEnv(); L1196: const completionDestination = runCompletionDestinationFromEnv(process.env); L1197: if (completionDestination && !persistence) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L1
1284if (!url) return undefined; L1285: const { postgres } = await import("@cybernetyx1/atlasflow-postgres"); L1286: const adapter = postgres(url);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1284

Findings

2 Critical4 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License