AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The user-invoked CLI manages H1VE workflow state, local credentials, and explicitly supplied deployment configuration.
Static reason
One or more suspicious static signals were detected.
Trigger
Explicit execution of `h1ve` or `nf`, including `h1ve serve` for the local agent.
Impact
Can modify user-selected local git-ignored env files or selected provider env settings only after explicit invocation and pairing.
Mechanism
Authenticated H1VE API client and loopback-gated deployment environment helper.
Rationale
The scanner signals correspond to documented, user-invoked CLI functions and constrained local/deployment credential handling. Source inspection found no lifecycle execution, harvesting, off-target exfiltration, remote payload execution, persistence, or AI-agent control-surface mutation.
Evidence
package.jsonREADME.mddist/index.js.env.local~/.config/h1ve/credentials.json
Network endpoints6
app.h1ve.orgapi.vercel.comapi.netlify.comapi.fly.io/graphqlbackboard.railway.com/graphql/v2api.render.com
Decision evidence
public snapshotAI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
- `dist/index.js` offers explicit `h1ve serve` routes that can apply caller-supplied environment values locally or to selected deployment providers.
Evidence against
- `package.json` defines no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
- `dist/index.js` is only the declared `h1ve`/`nf` executable; no import-time background behavior is present.
- `execFile` is limited to fixed `git` operations and opening the login browser, with no shell-string execution.
- Local env writes require an explicit command or loopback request, a pairing token, an allowed origin, a safe basename, and `git check-ignore`.
- The loopback agent binds only to `127.0.0.1`; provider tokens and env values are sent only to the selected Vercel, Netlify, Fly, Railway, or Render API.
- `connect` registers only connection metadata with H1VE; parsed `KEY=VALUE` secrets are written locally and are not included in its H1VE API request.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
WildcardDependency
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
7// ../core/src/branch.ts
L8: import { execFile } from "child_process";
L9: import { promisify } from "util";
High
1188});
L1189: process.stdout.write(
L1190: `Agente H1VE ouvindo em http://127.0.0.1:${port}
L1191: Origem permitida: ${origin}
...
L1203: import { randomBytes as randomBytes2 } from "crypto";
L1204: import { execFile as execFile2 } from "child_process";
L1205: var LOGIN_TIMEOUT_MS = 3 * 60 * 1e3;
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L1188Findings
3 High3 Medium4 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings