registry  /  @flopod/cli  /  0.14.1

@flopod/cli@0.14.1

The Flopod engine + host package. Despite the `cli` name, it ships two things on top of one shared core:

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The CLI can install and refresh first-party Flopod Claude skill files in a project during explicit scaffolding or agent-authoring actions. It also invokes dependency installation only from the explicit `flopod new` command.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `flopod new` or starts an authoring-agent action.
Impact
Project-scoped AI-agent instructions can be overwritten; authoring capability may execute user-directed development actions.
Mechanism
First-party `.claude/skills` provisioning plus Claude-agent workflow execution.
Rationale
Source inspection confirms explicit CLI-controlled agent-skill writes and agent capability, but no lifecycle hook, stealthy exfiltration, remote payload execution, or automatic foreign-control-surface mutation. Warn for the first-party agent-extension lifecycle risk rather than block.
Evidence
package.jsondist/commands/new.jsdist/bundled-skills.jsdist/chat-agent.jsdist/providers/fly.jsassets/flopod-workflow/SKILL.md.claude/skills/flopod-workflow.claude/skills/flopod-debug.claude/skills/flopod-connect.claude/skills/flopod-ui

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/commands/new.js` writes bundled skills to `.claude/skills/*` on explicit `flopod new`.
  • `dist/chat-agent.js` refreshes `.claude/skills/*` before an authoring-agent run.
  • `dist/bundled-skills.js` overwrites packaged agent-skill files in the selected project.
  • `dist/commands/new.js` runs `npm install` only after explicit `flopod new`.
  • `dist/chat-agent.js` dynamically loads the Claude Agent SDK for user-invoked authoring.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • Entrypoints dispatch CLI commands; import does not execute project mutation.
  • No `eval`, `Function`, VM loading, hidden downloader, or package-install-time network action found.
  • Fly and Git operations are explicit deploy/sync CLI paths rather than background behavior.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 33 file(s), 387 KB of source, external domains: fly.io, github.com

Source & flagged code

6 flagged · loading source
dist/git.jsView file
1import { spawn, spawnSync } from 'child_process'; L2: import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, lstatSync, rmdirSync, unlinkSync } from 'fs';
High
Child Process

Package source references child process execution.

dist/git.jsView on unpkg · L1
737* fast-forwarded; a failed install is a fixable follow-up, not a reason to strand the draft). L738: * `shell: true` is required so Windows can invoke `pnpm.cmd` — Node 20+ refuses to spawn a `.cmd` L739: * directly (EINVAL) without a shell. The args are fixed (no user input), so the DEP0190 shell-arg
High
Shell

Package source references shell execution.

dist/git.jsView on unpkg · L737
1import { spawn, spawnSync } from 'child_process'; L2: import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, lstatSync, rmdirSync, unlinkSync } from 'fs'; ... L9: const r = spawnSync('git', args, { cwd, encoding: 'utf8' }); L10: return { ok: !r.error && r.status === 0, out: ((r.stdout ?? '') + (r.stderr ?? '')).trim() }; L11: } ... L18: */ L19: const DEBUG = !!process.env.FLOPOD_DEBUG; L20: function trace(log, msg) { ... L185: // mount it on a volume). Default: `~/.flopod/worktrees`, out of every flopod's repo tree. L186: const home = process.env.FLOPOD_WORKTREES_HOME || join(homedir(), '.flopod', 'worktrees'); L187: return join(home, key); ... L201: try {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/git.jsView on unpkg · L1
dist/providers/fly.jsView file
1import { spawnSync } from 'child_process'; L2: import { existsSync, readFileSync, readdirSync } from 'fs'; ... L13: function installHint() { L14: const cmd = process.platform === 'win32' L15: ? 'pwsh -Command "iwr https://fly.io/install.ps1 -useb | iex"' L16: : 'curl -L https://fly.io/install.sh | sh'; ... L35: const ext = process.platform === 'win32' ? '.exe' : ''; L36: candidates.push(join(homedir(), '.fly', 'bin', `flyctl${ext}`)); L37: for (const bin of candidates) { ... L48: } L49: /** Run a Fly command quietly and capture stdout (for probes like whoami/status). */ L50: /** Docker `--build-arg` pairs stamping the image's identity (surfaced under Settings → Version):
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/providers/fly.jsView on unpkg · L1
dist/commands/new.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @flopod/cli@0.11.0 matchedIdentity = npm:QGZsb3BvZC9jbGk:0.11.0 similarity = 0.806 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/new.jsView on unpkg
44console.log('Installing dependencies (flopod + TS types)...'); L45: execSync('npm install --prefer-offline --no-audit --no-fund', { cwd: dir, stdio: 'inherit' }); L46: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/new.jsView on unpkg · L44

Findings

1 Critical4 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/commands/new.js
HighChild Processdist/git.js
HighShelldist/git.js
HighSandbox Evasion Gated Capabilitydist/providers/fly.js
HighRuntime Package Installdist/commands/new.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptodist/git.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License