registry  /  @edge-base/cli  /  0.3.3

@edge-base/cli@0.3.3

CLI for EdgeBase — create, develop, and deploy EdgeBase projects

AI Security Review

scanned 4d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs edgebase init or other explicit CLI commands
Impact
Warn-level AI agent control-surface mutation by explicit init; no unconsented install-time mutation or exfiltration found
Mechanism
project scaffolding, Cloudflare resource management, local dev tooling, and first-party AI guidance setup
Rationale
The package is a feature-rich CLI with expected network, shell, config evaluation, and file-writing behavior for EdgeBase/Cloudflare workflows, with no lifecycle hooks or hidden exfiltration. Because it explicitly writes AI-agent guidance files during init, treat as warn-level agent control-surface risk rather than malicious.
Evidence
package.jsondist/index.jsdist/commands/init.jsdist/lib/telemetry.jsdist/lib/turnstile-provision.jsdist/lib/load-config.jsdist/lib/dev-sidecar.jsdist/commands/deploy.jsllms.txtAGENTS.md.github/copilot-instructions.mdedgebase.config.ts.env.development.env.release.edgebase/secrets.jsonwrangler.toml
Network endpoints4
api.cloudflare.com/client/v4/accounts/${cfAccountId}/challenges/widgetsapi.cloudflare.com/client/v4/accounts/${cf.accountId}/workers/durable_objects/namespaceslocalhost:8787127.0.0.1:${opts.workerPort}/admin/api/data/sql

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Benign with medium false-positive risk.
Evidence for warning
  • dist/commands/init.js writes AGENTS.md and .github/copilot-instructions.md during explicit edgebase init.
  • Generated AI guidance instructs agents to use EdgeBase package docs/llms.txt and local config context.
  • dist/lib/load-config.js evaluates project edgebase.config.ts via tsx/esbuild for CLI commands.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • dist/index.js only registers commander CLI commands; no install/import-time payload.
  • dist/lib/telemetry.js stores opt-in events locally in ~/.edgebase/telemetry.json and says disabled by default.
  • Network use is aligned to Cloudflare/worker/local dev endpoints for deploy, backup, plugins, Turnstile, and admin workflows.
  • child_process usage invokes wrangler/npm/node/tar/packaging tools in user-run commands, not hidden persistence or exfiltration.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 62 file(s), 753 KB of source, external domains: 127.0.0.1, api.cloudflare.com, docs.docker.com, edgebase.fun, www.apple.com

Source & flagged code

6 flagged · loading source
dist/lib/turnstile-provision.jsView file
1import { execFileSync } from 'node:child_process'; L2: import { existsSync, readFileSync, writeFileSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/lib/turnstile-provision.jsView on unpkg · L1
dist/lib/pack.jsView file
326if (process.platform === 'win32') { L327: execFileSync('powershell', [ L328: '-NoProfile',
High
Shell

Package source references shell execution.

dist/lib/pack.jsView on unpkg · L326
dist/lib/dev-sidecar.jsView file
284if (!pgModulePromise) { L285: const dynamicImport = new Function('specifier', 'return import(specifier)'); L286: pgModulePromise = dynamicImport('pg').then((mod) => mod);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/lib/dev-sidecar.jsView on unpkg · L284
284if (!pgModulePromise) { L285: const dynamicImport = new Function('specifier', 'return import(specifier)'); L286: pgModulePromise = dynamicImport('pg').then((mod) => mod);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/lib/dev-sidecar.jsView on unpkg · L284
dist/commands/dev.jsView file
1import { Command, CommanderError } from 'commander'; L2: import { spawn } from 'node:child_process'; L3: import { createHash, randomBytes } from 'node:crypto'; L4: import { createServer } from 'node:net'; L5: import { existsSync, watch, readFileSync, copyFileSync, unlinkSync, readdirSync, mkdirSync, promises as fsPromises, } from 'node:fs'; ... L28: const PORT_RESERVATION_STALE_GRACE_MS = 10_000; L29: const MAX_RECENT_WRANGLER_STDERR_LINES = 12; L30: const WRANGLER_EXIT_GRACE_MS = 2_500; L31: const WRANGLER_FORCE_KILL_GRACE_MS = 1_000; L32: const PORT_RESERVATION_DIR = process.env.EDGEBASE_DEV_PORT_RESERVATION_DIR L33: ? resolve(process.env.EDGEBASE_DEV_PORT_RESERVATION_DIR) ... L64: });
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/commands/dev.jsView on unpkg · L1
dist/commands/deploy.jsView file
1Cross-file remote execution chain: dist/commands/deploy.js spawns dist/lib/dev-sidecar.js; helper contains network access plus dynamic code execution. L1: import { Command } from 'commander'; L2: import { spawn, execFileSync } from 'node:child_process'; L3: import { wranglerArgs, wranglerCommand, wranglerHint } from '../lib/wrangler.js'; ... L32: const RELEASE_ENV_HEADER = '# EdgeBase production secrets'; L33: const ANSI_ESCAPE_REGEX = new RegExp(`${String.fromCharCode(27)}\\[[0-9;]*[a-zA-Z]`, 'g'); L34: export function [redacted](output) { ... L45: return ([redacted](deployOutput) L46: || process.env.EDGEBASE_URL L47: || resolveWorkerUrlFromProject(projectDir)); ... L53: try { L54: const response = await fetch(workerUrl, { L55: redirect: 'manual',
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/commands/deploy.jsView on unpkg · L1

Findings

3 High3 Medium6 Low
HighChild Processdist/lib/turnstile-provision.js
HighShelldist/lib/pack.js
HighCross File Remote Execution Contextdist/commands/deploy.js
MediumDynamic Requiredist/lib/dev-sidecar.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowEvaldist/lib/dev-sidecar.js
LowWeak Cryptodist/commands/dev.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings