registry  /  @h1veframework/cli  /  0.9.0

@h1veframework/cli@0.9.0

The CLI for H1VE — the governance & memory layer for teams building with AI. Drive your feature flow (start, status, move, spec, done) from the terminal. Works with Claude Code, Cursor and Copilot.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `h1ve serve` and supplies the displayed pairing token to the permitted dashboard origin.
Impact
Can alter deployment secrets and configuration for accounts whose provider tokens are supplied.
Mechanism
Loopback HTTP agent applies supplied secrets to local env files or selected deployment-provider APIs.
Rationale
The package is not malicious by static inspection, but its explicit local-agent deployment-secret mutation capability warrants a warning classification under the dangerous-capability boundary.
Evidence
package.jsonREADME.mddist/index.js.env.local~/.config/h1ve/credentials.json
Network endpoints6
app.h1ve.orgapi.vercel.comapi.netlify.comapi.fly.io/graphqlbackboard.railway.com/graphql/v2api.render.com

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` exposes explicit `h1ve serve` routes that write/remove local environment variables.
  • `/apply-deploy` and `/remove-deploy` accept supplied provider tokens and mutate deployment environment variables.
  • The local agent supports Vercel, Netlify, Fly, Railway, and Render API calls.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `dist/index.js` runs child processes only for Git operations and opening the login browser.
  • The agent binds to `127.0.0.1`, checks origin/host, and requires a random pairing token.
  • No reads of shell history, SSH keys, browser data, or unrelated AI-agent configuration were found.
  • `connect` writes only user-provided keys to a gitignored local env file and sends metadata without values.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 1 file(s), 58.4 KB of source, external domains: 127.0.0.1, api.fly.io, api.netlify.com, api.render.com, api.vercel.com, app.h1ve.org, backboard.railway.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
7// ../core/src/branch.ts L8: import { execFile } from "child_process"; L9: import { promisify } from "util";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L7
1242}); L1243: process.stdout.write( L1244: `Agente H1VE ouvindo em http://127.0.0.1:${port} L1245: Origem permitida: ${origin} ... L1257: import { randomBytes as randomBytes2 } from "crypto"; L1258: import { execFile as execFile2 } from "child_process"; L1259: var LOGIN_TIMEOUT_MS = 3 * 60 * 1e3;
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L1242

Findings

3 High3 Medium4 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings