AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is a deployment CLI with explicit commands that scaffold project directories, reconcile infrastructure, create Cloudflare tunnels/DNS, and push Forgejo repos/secrets.
Decision evidence
public snapshot- package.json has no npm lifecycle scripts; only bin "intentic" -> dist/cli.js.
- dist/cli.js only dispatches @stricli CLI routes; no import-time install behavior.
- Child process use is user-invoked: init runs git/pnpm scaffolding, demo runs Docker/SSH demo workflow.
- Network/API use is package-aligned deployment automation for Cloudflare, Forgejo, Discord webhook, and user-specified services.
- No writes to Claude/Codex/Cursor/MCP/agent control surfaces or shell/VCS persistence hooks found.
- Secrets are read from env/project files for deployment and repo secret setup; no hardcoded exfiltration endpoint found.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/init/scaffold-app.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/resolve/resolve.jsView on unpkg · L6A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/demo.jsView on unpkg · L29Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/demo.jsView on unpkg · L29