registry  /  @frontic/cli  /  0.0.0-canary-20260708160643

@frontic/cli@0.0.0-canary-20260708160643

Frontic CLI for managing your storefront projects

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `frontic mcp init --client <client>` or other Frontic CLI commands.
Impact
Warn-level agent control-surface mutation; no confirmed malicious install-time or stealth behavior.
Mechanism
Explicit CLI writes project, env, generated SDK, context, and MCP config files.
Rationale
Source inspection shows no install-time execution, hidden shell execution, non-Frontic exfiltration, or stealth persistence. Because the package can explicitly mutate AI-agent MCP configuration to remote servers, it fits warn-level agent capability abuse rather than clean or publish-block malicious behavior.
Evidence
package.jsondist/frontic.mjsREADME.md.frontic/api_session.jwt.frontic/project.json.frontic/version-check-cache.jsonfetch-api.d.tsgenerated-types.d.tsgenerated-client.tsquery-types.tsmetadata.jsonfetch-api.spec.yamlfetch-api.debug.yaml.claude/CLAUDE.md.claude/rules.claude/skills.cursor/rules/project-rules.md.cursor/rules.cursor/skills
Network endpoints6
backend.frontic.com/app.frontic.com/mcp.frontic.com/mcpdocs.frontic.com/mcpregistry.npmjs.org/@frontic/cli/latestlocalhost:3008

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/frontic.mjs exposes explicit `frontic mcp init --client <...>` that writes MCP config for cursor/claude/windsurf/vscode/codex.
  • Codex target writes to homedir `.codex/config.toml`; other clients write `.cursor/mcp.json`, `.mcp.json`, `.vscode/mcp.json`, or Windsurf config.
  • MCP servers added are remote HTTP endpoints `https://mcp.frontic.com/mcp` and `https://docs.frontic.com/mcp`.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts; install does not mutate agent config.
  • AI-agent config mutation is explicit user-invoked CLI behavior with a required `--client` and interactive server selection.
  • Network calls are Frontic/product-aligned: backend/app Frontic APIs, docs/MCP, login, and npm latest-version check.
  • File writes are expected CLI outputs: token/project config, generated SDK files, skills/rules, `.env.studio`, and MCP config.
  • No evidence of credential harvesting beyond user login token/project credential commands, and no exfiltration to non-Frontic hosts.
  • child_process import appears from bundled commander subcommand support, not package-specific hidden execution.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 1 file(s), 105 KB of source, external domains: app.frontic.com, app.frontstack.test, backend.frontic.com, backend.frontstack.test, docs.frontic.com, mcp.frontic.com, registry.npmjs.org

Source & flagged code

3 flagged · loading source
dist/frontic.mjsView file
1#!/usr/bin/env node L2: var Bt=Object.defineProperty;var l=(o,e)=>Bt(o,"name",{value:e,configurable:!0});var ce,le,ue,de,pe,fe,te;import Jt from"events";import zt from"child_process";import Te from"path";... L3: `).replace(/^/gm," ".repeat(i))}l(u,"formatList");let p=[`Usage: ${t.commandUsage(e)}`,""];const c=t.commandDescription(e);c.length>0&&(p=p.concat([t.wrap(c,r,0),""]));const h=t.vi...
High
Child Process

Package source references child process execution.

dist/frontic.mjsView on unpkg · L1
13Expecting one of '${n.join("', '")}'`);return this._lifeCycleHooks[e]?this._lifeCycleHooks[e].push(t):this._lifeCycleHooks[e]=[t],this}exitOverride(e){return e?this._exitCallback=e... L14: - already used by option '${t.flags}'`)}this.options.push(e)}_registerCommand(e){const t=l(r=>[r.name()].concat(r.aliases()),"knownBy"),n=t(e).find(r=>this._findCommand(r));if(n){... L15: - if '${e._name}' is not meant to be an executable command, remove description parameter from '.command()' and use '.description()' instead ... L22: Expecting one of '${n.join("', '")}'`);const r=`${e}Help`;return this.on(r,i=>{let s;typeof t=="function"?s=t({error:i.error,command:i.command}):s=t,s&&i.write(`${s} L23: `)}),this}_outputHelpIfRequested(e){const t=this._getHelpOption();t&&e.find(r=>t.is(r))&&(this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)"))}},l(te,"Command"... L24: Run ${a.hex("#7c3bed")("frontic project")} to select a Frontic project`);return process.env.NODE_TLS_REJECT_UNAUTHORIZED=process.env.FRONTIC_CLI_DEV_MODE?"0":"1",await I(En,{method...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/frontic.mjsView on unpkg · L13
10(Did you mean one of ${n.join(", ")}?)`:n.length===1?` L11: (Did you mean ${n[0]}?)`:""}l($o,"suggestSimilar$1"),at.suggestSimilar=$o;const _o=Jt.EventEmitter,Ne=zt,B=Te,Ie=_,A=Zt,{Argument:vo,humanReadableArgName:Co}=ye,{CommanderError:De}... L12: - specify the name in Command constructor or using .name()`);return t=t||{},t.isDefault&&(this._defaultCommandName=e._name),(t.noHelp||t.hidden)&&(e._hidden=!0),this._registerComma... L13: Expecting one of '${n.join("', '")}'`);return this._lifeCycleHooks[e]?this._lifeCycleHooks[e].push(t):this._lifeCycleHooks[e]=[t],this}exitOverride(e){return e?this._exitCallback=e... L14: - already used by option '${t.flags}'`)}this.options.push(e)}_registerCommand(e){const t=l(r=>[r.name()].concat(r.aliases()),"knownBy"),n=t(e).find(r=>this._findCommand(r));if(n){... L15: - if '${e._name}' is not meant to be an executable command, remove description parameter from '.command()' and use '.description()' instead ... L22: Expecting one of '${n.join("', '")}'`);const r=`${e}Help`;return this.on(r,i=>{let s;typeof t=="function"?s=t({error:i.error,command:i.command}):s=t,s&&i.write(`${s} L23: `)}),this}_outputHelpIfRequested(e){const t=this._getHelpOp
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/frontic.mjsView on unpkg · L10

Findings

3 High1 Medium5 Low
HighChild Processdist/frontic.mjs
HighSame File Env Network Executiondist/frontic.mjs
HighCommand Output Exfiltrationdist/frontic.mjs
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License