registry  /  @h1veframework/cli  /  0.5.1

@h1veframework/cli@0.5.1

CLI `nf` do H1VE Flow: opera o fluxo da feature (status/move/blocker/spec/done/health/start) da própria branch, via PAT.

AI Security Review

scanned 12d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked H1VE workflow CLI with explicit login, repo workflow, local env, and deploy-provider helper commands.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `nf` commands such as login, connect, serve, start, done, or status.
Impact
Can write local H1VE credentials, update gitignored env files, create git branches, and call configured H1VE/deploy APIs when the user invokes those commands.
Mechanism
Explicit CLI workflow automation and credential/env management
Rationale
The suspicious primitives are expected for this CLI: git integration, login credential storage, local env-file management, and explicit deploy-provider API calls. There is no lifecycle delivery, covert exfiltration, persistence, destructive behavior, or foreign AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsREADME.md~/.config/h1ve/credentials.json.env.local
Network endpoints6
app.h1ve.orgapi.vercel.comapi.netlify.comapi.fly.io/graphqlbackboard.railway.com/graphql/v2api.render.com

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js exposes user-invoked `nf serve` local agent that can write env vars and call deploy provider APIs when paired.
  • dist/index.js writes credentials to `~/.config/h1ve/credentials.json` during explicit `nf login`.
  • dist/index.js runs `git` via execFile and opens browser via platform opener, both under explicit CLI commands.
Evidence against
  • package.json has no lifecycle scripts; bin is `nf` only.
  • Network calls are package-aligned: H1VE API plus deploy providers for explicit connect/serve flows.
  • No install-time/import-time execution, obfuscation, eval/vm/Function, or dynamic remote code loading found.
  • Local env writes are restricted to safe filenames and require the target env file to be gitignored.
  • Local server binds 127.0.0.1, checks loopback host/origin, and requires a random pairing token.
  • No writes to Claude/Codex/Cursor/MCP configs or other foreign AI-agent control surfaces found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 1 file(s), 51.2 KB of source, external domains: 127.0.0.1, api.fly.io, api.netlify.com, api.render.com, api.vercel.com, app.h1ve.org, backboard.railway.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
7// ../core/src/branch.ts L8: import { execFile } from "child_process"; L9: import { promisify } from "util";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L7
1107}); L1108: process.stdout.write( L1109: `Agente H1VE ouvindo em http://127.0.0.1:${port} L1110: Origem permitida: ${origin} ... L1122: import { randomBytes as randomBytes2 } from "crypto"; L1123: import { execFile as execFile2 } from "child_process"; L1124: var LOGIN_TIMEOUT_MS = 3 * 60 * 1e3;
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1107

Findings

3 High3 Medium4 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings