registry  /  @flopod/cli  /  0.14.2

@flopod/cli@0.14.2

The Flopod engine + host package. Despite the `cli` name, it ships two things on top of one shared core:

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The explicit `flopod new <name>` command scaffolds a project and installs first-party Claude skill files. The package also exposes an opt-in Claude-powered authoring agent able to edit and execute within the selected project.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `flopod new <name>` or uses the CLI's authoring-agent features.
Impact
Creates a package-owned AI-agent control surface in the new project and enables command-capable agent workflows.
Mechanism
User-invoked project scaffolding and agent-enabled workflow authoring.
Rationale
Source inspection confirms a first-party, user-invoked AI-agent extension setup and command-capable authoring path, not concrete malicious behavior. Flag for warning under the agent-extension lifecycle policy rather than block.
Evidence
package.jsondist/index.jsdist/commands/new.jsdist/bundled-skills.jsdist/chat-agent.jsdist/providers/fly.js<new-project>/.claude/skills/<new-project>/package.json<new-project>/.git/<new-project>/src/main.ts
Network endpoints3
fly.io/install.shfly.io/install.ps1fly.io/docs/flyctl/install/

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/commands/new.js` writes bundled files under a new project's `.claude/skills/`.
  • `dist/chat-agent.js` invokes the Claude Agent SDK with authoring capabilities that can edit and run commands.
  • `dist/commands/new.js` runs `npm install` after an explicit `flopod new` command.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `dist/index.js` dispatches behavior only after an explicit CLI subcommand.
  • `.claude/skills` writes are limited to the user-named scaffold directory, not a home/global agent configuration.
  • No source evidence of credential exfiltration, stealth persistence, remote payload loading, or destructive behavior.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 33 file(s), 387 KB of source, external domains: fly.io, github.com

Source & flagged code

6 flagged · loading source
dist/git.jsView file
1import { spawn, spawnSync } from 'child_process'; L2: import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, lstatSync, rmdirSync, unlinkSync } from 'fs';
High
Child Process

Package source references child process execution.

dist/git.jsView on unpkg · L1
737* fast-forwarded; a failed install is a fixable follow-up, not a reason to strand the draft). L738: * `shell: true` is required so Windows can invoke `pnpm.cmd` — Node 20+ refuses to spawn a `.cmd` L739: * directly (EINVAL) without a shell. The args are fixed (no user input), so the DEP0190 shell-arg
High
Shell

Package source references shell execution.

dist/git.jsView on unpkg · L737
1import { spawn, spawnSync } from 'child_process'; L2: import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, lstatSync, rmdirSync, unlinkSync } from 'fs'; ... L9: const r = spawnSync('git', args, { cwd, encoding: 'utf8' }); L10: return { ok: !r.error && r.status === 0, out: ((r.stdout ?? '') + (r.stderr ?? '')).trim() }; L11: } ... L18: */ L19: const DEBUG = !!process.env.FLOPOD_DEBUG; L20: function trace(log, msg) { ... L185: // mount it on a volume). Default: `~/.flopod/worktrees`, out of every flopod's repo tree. L186: const home = process.env.FLOPOD_WORKTREES_HOME || join(homedir(), '.flopod', 'worktrees'); L187: return join(home, key); ... L201: try {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/git.jsView on unpkg · L1
dist/providers/fly.jsView file
1import { spawnSync } from 'child_process'; L2: import { existsSync, readFileSync, readdirSync } from 'fs'; ... L13: function installHint() { L14: const cmd = process.platform === 'win32' L15: ? 'pwsh -Command "iwr https://fly.io/install.ps1 -useb | iex"' L16: : 'curl -L https://fly.io/install.sh | sh'; ... L35: const ext = process.platform === 'win32' ? '.exe' : ''; L36: candidates.push(join(homedir(), '.fly', 'bin', `flyctl${ext}`)); L37: for (const bin of candidates) { ... L48: } L49: /** Run a Fly command quietly and capture stdout (for probes like whoami/status). */ L50: /** Docker `--build-arg` pairs stamping the image's identity (surfaced under Settings → Version):
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/providers/fly.jsView on unpkg · L1
dist/commands/new.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @flopod/cli@0.14.1 matchedIdentity = npm:QGZsb3BvZC9jbGk:0.14.1 similarity = 0.969 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/new.jsView on unpkg
44console.log('Installing dependencies (flopod + TS types)...'); L45: execSync('npm install --prefer-offline --no-audit --no-fund', { cwd: dir, stdio: 'inherit' }); L46: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/new.jsView on unpkg · L44

Findings

1 Critical4 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/commands/new.js
HighChild Processdist/git.js
HighShelldist/git.js
HighSandbox Evasion Gated Capabilitydist/providers/fly.js
HighRuntime Package Installdist/commands/new.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/git.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License