registry  /  @cybernetyx1/atlasflow-cli  /  0.1.6

@cybernetyx1/atlasflow-cli@0.1.6

Command-line tool for authoring, inspecting, building, and deploying AtlasFlow agents.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious package attack surface. Network, subprocess, and file-write capabilities are explicit CLI features operating on a caller-selected workspace or server.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit invocation of commands such as `atlasflow deploy`, `run`, `eval`, `logs`, or `add`.
Impact
No automatic credential harvesting, exfiltration, persistence, or foreign control-surface mutation established.
Mechanism
User-directed agent workspace build, deployment, and API tooling.
Rationale
The scanner findings map to documented CLI functionality: user-invoked deployment, workspace code execution, and configurable API requests. Source inspection found no lifecycle execution or concrete malicious chain.
Evidence
package.jsonbin/atlasflow.jsdist/index.jsREADME.md

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • `dist/index.js` can spawn Wrangler, but only from explicit `atlasflow deploy`.
  • `dist/index.js` dynamically imports bundles built from the caller-selected workspace for explicit `run` and `eval` commands.
  • `dist/index.js` supports user-provided server/OpenAPI URLs for explicit CLI operations.
Evidence against
  • `package.json` declares no preinstall, install, postinstall, or prepare hook.
  • `bin/atlasflow.js` only invokes exported `main()` after the user runs `atlasflow`.
  • `dist/index.js` dispatches behavior behind explicit commands; no import-time network or filesystem mutation was found.
  • `dist/index.js` filters `.env`, credential files, key files, and sensitive directories from agent export.
  • No hard-coded nonlocal collection or exfiltration endpoint was found.
  • No AI-agent configuration mutation, persistence hook, or destructive package-side behavior was found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 310 KB of source, external domains: api.example.com, api.linear.app, api.notion.com, api.pagerduty.com, app.example, brain.example.com, gitlab.com, mcp.example.com, sentry.io, your-domain.atlassian.net

Source & flagged code

3 flagged · loading source
dist/index.jsView file
1// src/commands.ts L2: import { spawn } from "child_process"; L3: import * as fs5 from "fs"; ... L227: when_to_use: sk[redacted], L228: body: skill.body, L229: allowedTools: sk[redacted], ... L612: kind: isTextContent(content) ? "text" : "binary", L613: encoding: "base64", L614: content: content.toString("base64") ... L1195: const persistence = await persistenceFromEnv(); L1196: const completionDestination = runCompletionDestinationFromEnv(process.env); L1197: if (completionDestination && !persistence) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L1
1Trigger-reachable chain: manifest.exports -> dist/index.js L1: // src/commands.ts L2: import { spawn } from "child_process"; L3: import * as fs5 from "fs"; ... L227: when_to_use: sk[redacted], L228: body: skill.body, L229: allowedTools: sk[redacted], ... L612: kind: isTextContent(content) ? "text" : "binary", L613: encoding: "base64", L614: content: content.toString("base64") ... L1195: const persistence = await persistenceFromEnv(); L1196: const completionDestination = runCompletionDestinationFromEnv(process.env); L1197: if (completionDestination && !persistence) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L1
1284if (!url) return undefined; L1285: const { postgres } = await import("@cybernetyx1/atlasflow-postgres"); L1286: const adapter = postgres(url);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1284

Findings

2 Critical4 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License