AI Security Review
scanned 12d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked H1VE workflow CLI with explicit login, repo workflow, local env, and deploy-provider helper commands.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `nf` commands such as login, connect, serve, start, done, or status.
Impact
Can write local H1VE credentials, update gitignored env files, create git branches, and call configured H1VE/deploy APIs when the user invokes those commands.
Mechanism
Explicit CLI workflow automation and credential/env management
Rationale
The suspicious primitives are expected for this CLI: git integration, login credential storage, local env-file management, and explicit deploy-provider API calls. There is no lifecycle delivery, covert exfiltration, persistence, destructive behavior, or foreign AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsREADME.md~/.config/h1ve/credentials.json.env.local
Network endpoints6
app.h1ve.orgapi.vercel.comapi.netlify.comapi.fly.io/graphqlbackboard.railway.com/graphql/v2api.render.com
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.js exposes user-invoked `nf serve` local agent that can write env vars and call deploy provider APIs when paired.
- dist/index.js writes credentials to `~/.config/h1ve/credentials.json` during explicit `nf login`.
- dist/index.js runs `git` via execFile and opens browser via platform opener, both under explicit CLI commands.
Evidence against
- package.json has no lifecycle scripts; bin is `nf` only.
- Network calls are package-aligned: H1VE API plus deploy providers for explicit connect/serve flows.
- No install-time/import-time execution, obfuscation, eval/vm/Function, or dynamic remote code loading found.
- Local env writes are restricted to safe filenames and require the target env file to be gitignored.
- Local server binds 127.0.0.1, checks loopback host/origin, and requires a random pairing token.
- No writes to Claude/Codex/Cursor/MCP configs or other foreign AI-agent control surfaces found.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
7// ../core/src/branch.ts
L8: import { execFile } from "child_process";
L9: import { promisify } from "util";
High
1107});
L1108: process.stdout.write(
L1109: `Agente H1VE ouvindo em http://127.0.0.1:${port}
L1110: Origem permitida: ${origin}
...
L1122: import { randomBytes as randomBytes2 } from "crypto";
L1123: import { execFile as execFile2 } from "child_process";
L1124: var LOGIN_TIMEOUT_MS = 3 * 60 * 1e3;
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L1107Findings
3 High3 Medium4 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings