registry  /  @flopod/cli  /  0.10.0

@flopod/cli@0.10.0

The Flopod engine + host package. Despite the `cli` name, it ships two things on top of one shared core:

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Explicit CLI actions can scaffold a project, install its declared dependencies, and add first-party Claude skills. User-initiated authoring sessions can invoke an external agent SDK with editing and Bash capabilities.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Run `flopod new` or start an authoring-agent session.
Impact
A user who invokes these features grants project write and command-execution capability; no unconsented install-time behavior or exfiltration chain was confirmed.
Mechanism
project-local agent-skill installation and user-invoked agent/code execution
Rationale
Static hints overstate the risk: source confirms intentional, user-triggered scaffolding and agent tooling rather than concrete malicious behavior. Warn for first-party project agent-skill setup and powerful authoring capability.
Evidence
package.jsondist/commands/new.jsdist/bundled-skills.jsdist/chat-agent.jsdist/providers/fly.jsassets/flopod-connect/SKILL.mdassets/flopod-workflow/SKILL.mdassets/flopod-debug/SKILL.md<projectDir>/.claude/skills/*<projectDir>/package.json<projectDir>/src/main.ts

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/bundled-skills.js` copies bundled files into `<projectDir>/.claude/skills/*`.
  • `dist/commands/new.js` invokes that copy during explicit `flopod new` scaffolding.
  • `dist/chat-agent.js` loads user/project Claude settings and gives author sessions Bash plus edit tools.
  • `dist/commands/new.js` explicitly runs `npm install` in the newly created project.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • No source-inspected code sends harvested environment variables or files to a package-controlled endpoint.
  • The `.claude` mutation is limited to first-party bundled skills under the selected project directory.
  • `dist/providers/fly.js` only prints Fly installation URLs; it does not execute those shell pipelines.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 31 file(s), 369 KB of source, external domains: fly.io, github.com

Source & flagged code

6 flagged · loading source
dist/git.jsView file
1import { spawn, spawnSync } from 'child_process'; L2: import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, lstatSync, rmdirSync, unlinkSync } from 'fs';
High
Child Process

Package source references child process execution.

dist/git.jsView on unpkg · L1
737* fast-forwarded; a failed install is a fixable follow-up, not a reason to strand the draft). L738: * `shell: true` is required so Windows can invoke `pnpm.cmd` — Node 20+ refuses to spawn a `.cmd` L739: * directly (EINVAL) without a shell. The args are fixed (no user input), so the DEP0190 shell-arg
High
Shell

Package source references shell execution.

dist/git.jsView on unpkg · L737
1import { spawn, spawnSync } from 'child_process'; L2: import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, lstatSync, rmdirSync, unlinkSync } from 'fs'; ... L9: const r = spawnSync('git', args, { cwd, encoding: 'utf8' }); L10: return { ok: !r.error && r.status === 0, out: ((r.stdout ?? '') + (r.stderr ?? '')).trim() }; L11: } ... L18: */ L19: const DEBUG = !!process.env.FLOPOD_DEBUG; L20: function trace(log, msg) { ... L185: // mount it on a volume). Default: `~/.flopod/worktrees`, out of every flopod's repo tree. L186: const home = process.env.FLOPOD_WORKTREES_HOME || join(homedir(), '.flopod', 'worktrees'); L187: return join(home, key); ... L201: try {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/git.jsView on unpkg · L1
dist/providers/fly.jsView file
1import { spawnSync } from 'child_process'; L2: import { existsSync, readFileSync, readdirSync } from 'fs'; ... L13: function installHint() { L14: const cmd = process.platform === 'win32' L15: ? 'pwsh -Command "iwr https://fly.io/install.ps1 -useb | iex"' L16: : 'curl -L https://fly.io/install.sh | sh'; ... L35: const ext = process.platform === 'win32' ? '.exe' : ''; L36: candidates.push(join(homedir(), '.fly', 'bin', `flyctl${ext}`)); L37: for (const bin of candidates) { ... L48: } L49: /** Run a Fly command quietly and capture stdout (for probes like whoami/status). */ L50: /** Docker `--build-arg` pairs stamping the image's identity (surfaced under Settings → Version):
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/providers/fly.jsView on unpkg · L1
dist/commands/new.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @flopod/cli@0.6.0 matchedIdentity = npm:QGZsb3BvZC9jbGk:0.6.0 similarity = 0.375 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/new.jsView on unpkg
43console.log('Installing dependencies (flopod + TS types)...'); L44: execSync('npm install --prefer-offline --no-audit --no-fund', { cwd: dir, stdio: 'inherit' }); L45: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/new.jsView on unpkg · L43

Findings

1 Critical4 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/commands/new.js
HighChild Processdist/git.js
HighShelldist/git.js
HighSandbox Evasion Gated Capabilitydist/providers/fly.js
HighRuntime Package Installdist/commands/new.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/git.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License