AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious install-time or import-time behavior. The explicit `nf serve` command provides a paired loopback agent for applying user-supplied environment variables locally or to selected deployment providers.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs `nf serve` and supplies its displayed pairing token through the permitted browser origin.
Impact
Can modify a gitignored local env file or selected provider environment variables when explicitly invoked and authenticated.
Mechanism
Paired loopback environment-variable and deployment-provider management
Rationale
Direct inspection shows a user-invoked CLI with expected credential, Git, local-agent, and deployment-management functions; no lifecycle execution, covert collection, foreign AI-agent configuration mutation, or unconsented exfiltration was found. Static signals correspond to documented functionality guarded by explicit commands, loopback binding, origin checks, and pairing-token authentication.
Evidence
package.jsondist/index.jsREADME.md.env.local~/.config/h1ve/credentials.json
Network endpoints6
app.h1ve.orgapi.vercel.comapi.netlify.comapi.fly.io/graphqlbackboard.railway.com/graphql/v2api.render.com
Decision evidence
public snapshotAI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/index.js` exposes `nf serve`, which can write local and deployment environment variables.
- `dist/index.js` reads API credentials from environment or `~/.config/h1ve/credentials.json`.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hook.
- `dist/index.js` only invokes `git` with fixed argument arrays for branch and remote operations.
- Credential writes occur only through explicit `nf login`; logout removes that same file.
- `nf connect` writes only a gitignored local env file after explicit `--env` input.
- `nf serve` binds to `127.0.0.1`, enforces origin/host checks, and requires a random pairing token.
- Deployment API calls occur only after an explicit paired local-agent request with supplied provider token.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
7// ../core/src/branch.ts
L8: import { execFile } from "child_process";
L9: import { promisify } from "util";
High
1137});
L1138: process.stdout.write(
L1139: `Agente H1VE ouvindo em http://127.0.0.1:${port}
L1140: Origem permitida: ${origin}
...
L1152: import { randomBytes as randomBytes2 } from "crypto";
L1153: import { execFile as execFile2 } from "child_process";
L1154: var LOGIN_TIMEOUT_MS = 3 * 60 * 1e3;
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L1137Findings
3 High3 Medium4 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings