registry  /  @frontic/cli  /  0.0.0-canary-20260716140146

@frontic/cli@0.0.0-canary-20260716140146

Frontic CLI for managing your storefront projects

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The CLI can install Frontic MCP endpoint configuration into AI coding-client config files when explicitly requested. It can also download Frontic project context into local agent instruction directories and inject authenticated project credentials into a selected env file. No automatic install-time attack surface was confirmed.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit `frontic mcp init --client <client>`, `frontic context ...`, or `frontic credentials load` command.
Impact
Can alter local AI-client configuration or project files and expose project credentials to the selected env file.
Mechanism
User-invoked agent configuration, context sync, and credential-file writes.
Rationale
Source supports a warning for explicit AI-agent configuration and credential/context mutation capabilities. It does not establish malicious behavior because actions are user-invoked and no install-time or covert payload chain exists.
Evidence
package.jsondist/frontic.mjsREADME.md.cursor/mcp.json.mcp.json.vscode/mcp.json~/.codeium/windsurf/mcp_config.json~/.codex/config.toml.claude/CLAUDE.md.claude/rules.claude/skills.cursor/rules.cursor/skills.env.studio
Network endpoints5
backend.frontic.com/app.frontic.com/mcp.frontic.com/mcpdocs.frontic.com/mcpregistry.npmjs.org/@frontic/cli/latest

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/frontic.mjs` implements `frontic mcp init` for Cursor, Claude, Windsurf, VS Code, and Codex.
  • The MCP command writes client configuration including `~/.codex/config.toml` after an interactive server-scope prompt.
  • `context init/skills/rules` downloads project content and writes `.claude` or `.cursor` instruction files.
  • `credentials load` fetches project credentials and writes a user-selected `.env` file.
  • No lifecycle hooks are declared in `package.json`.
Evidence against
  • `package.json` exposes only a user-invoked CLI bin; it has no preinstall/install/postinstall scripts.
  • Agent configuration changes require explicit `mcp init --client <client>` invocation and an interactive selection.
  • MCP endpoints are fixed Frontic hosts, not dynamically supplied remote code URLs.
  • Context downloads include path-traversal checks before writing attachments and rules.
  • No direct child-process execution calls, eval, native loading, or import-time payload behavior were found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 1 file(s), 105 KB of source, external domains: app.frontic.com, app.frontstack.test, backend.frontic.com, backend.frontstack.test, docs.frontic.com, mcp.frontic.com, registry.npmjs.org

Source & flagged code

3 flagged · loading source
dist/frontic.mjsView file
1#!/usr/bin/env node L2: var Bt=Object.defineProperty;var l=(o,e)=>Bt(o,"name",{value:e,configurable:!0});var ce,le,ue,de,pe,fe,te;import Jt from"events";import zt from"child_process";import Te from"path";... L3: `).replace(/^/gm," ".repeat(i))}l(u,"formatList");let p=[`Usage: ${t.commandUsage(e)}`,""];const c=t.commandDescription(e);c.length>0&&(p=p.concat([t.wrap(c,r,0),""]));const h=t.vi...
High
Child Process

Package source references child process execution.

dist/frontic.mjsView on unpkg · L1
13Expecting one of '${n.join("', '")}'`);return this._lifeCycleHooks[e]?this._lifeCycleHooks[e].push(t):this._lifeCycleHooks[e]=[t],this}exitOverride(e){return e?this._exitCallback=e... L14: - already used by option '${t.flags}'`)}this.options.push(e)}_registerCommand(e){const t=l(r=>[r.name()].concat(r.aliases()),"knownBy"),n=t(e).find(r=>this._findCommand(r));if(n){... L15: - if '${e._name}' is not meant to be an executable command, remove description parameter from '.command()' and use '.description()' instead ... L22: Expecting one of '${n.join("', '")}'`);const r=`${e}Help`;return this.on(r,i=>{let s;typeof t=="function"?s=t({error:i.error,command:i.command}):s=t,s&&i.write(`${s} L23: `)}),this}_outputHelpIfRequested(e){const t=this._getHelpOption();t&&e.find(r=>t.is(r))&&(this.outputHelp(),this._exit(0,"commander.helpDisplayed","(outputHelp)"))}},l(te,"Command"... L24: Run ${a.hex("#7c3bed")("frontic project")} to select a Frontic project`);return process.env.NODE_TLS_REJECT_UNAUTHORIZED=process.env.FRONTIC_CLI_DEV_MODE?"0":"1",await I(En,{method...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/frontic.mjsView on unpkg · L13
10(Did you mean one of ${n.join(", ")}?)`:n.length===1?` L11: (Did you mean ${n[0]}?)`:""}l($o,"suggestSimilar$1"),at.suggestSimilar=$o;const _o=Jt.EventEmitter,Ne=zt,B=Te,Ie=_,A=Zt,{Argument:vo,humanReadableArgName:Co}=ye,{CommanderError:De}... L12: - specify the name in Command constructor or using .name()`);return t=t||{},t.isDefault&&(this._defaultCommandName=e._name),(t.noHelp||t.hidden)&&(e._hidden=!0),this._registerComma... L13: Expecting one of '${n.join("', '")}'`);return this._lifeCycleHooks[e]?this._lifeCycleHooks[e].push(t):this._lifeCycleHooks[e]=[t],this}exitOverride(e){return e?this._exitCallback=e... L14: - already used by option '${t.flags}'`)}this.options.push(e)}_registerCommand(e){const t=l(r=>[r.name()].concat(r.aliases()),"knownBy"),n=t(e).find(r=>this._findCommand(r));if(n){... L15: - if '${e._name}' is not meant to be an executable command, remove description parameter from '.command()' and use '.description()' instead ... L22: Expecting one of '${n.join("', '")}'`);const r=`${e}Help`;return this.on(r,i=>{let s;typeof t=="function"?s=t({error:i.error,command:i.command}):s=t,s&&i.write(`${s} L23: `)}),this}_outputHelpIfRequested(e){const t=this._getHelpOp
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/frontic.mjsView on unpkg · L10

Findings

3 High1 Medium5 Low
HighChild Processdist/frontic.mjs
HighSame File Env Network Executiondist/frontic.mjs
HighCommand Output Exfiltrationdist/frontic.mjs
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License