registry  /  @intentic/cli  /  1.60.0

@intentic/cli@1.60.0

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Risky primitives are tied to explicit deployment/demo CLI commands, not install-time or import-time execution.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs intentic commands such as init, resolve, apply, adopt, demo, or tunnel helpers.
Impact
Can create or modify local project deployment files and configured infrastructure when explicitly run with credentials.
Mechanism
User-invoked infrastructure deployment CLI with git/docker/ssh/network operations.
Rationale
Static inspection shows an infrastructure/deployment CLI with dangerous but expected user-invoked capabilities and no lifecycle hooks, credential exfiltration, persistence, or foreign AI-agent control-surface mutation. Scanner findings are explained by deployment, demo, and control-plane setup features documented in README and wired through explicit commands.
Evidence
package.jsondist/cli.jsdist/app.jsdist/init/init.jsdist/init/scaffold-app.jsdist/resolve/resolve.jsdist/apply/apply.command.jsdist/demo.jsdist/adopt/adopt.command.jsdist/secrets/secret-store.jsintent/deploy.config.tsintent/package.jsonintent/tsconfig.jsonintent/.gitignoredesired-state/.gitignoredesired-state/desired-state.jsondesired-state/.env.exampledesired-state/.secrets.jsondesired-state/status.jsondesired-state/access.mddesired-state/.last-applied.jsonapp/package.jsonapp/server.jsapp/Dockerfileapp/.gitignore
Network endpoints2
api.cloudflare.com/client/v4github.com/actions/checkout

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/demo.js can run docker/git/ssh commands and Cloudflare API calls for demo up/down/clear.
  • dist/init/init.js runs git init and pnpm install when the user invokes intentic init.
  • dist/resolve/resolve.js dynamically imports the user-specified deploy config.
Evidence against
  • package.json has no npm lifecycle hooks; bin is only ./dist/cli.js.
  • dist/cli.js only dispatches user-invoked Stricli commands; no install-time behavior found.
  • Network access is package-aligned deployment functionality using Cloudflare/Forgejo/Discord webhook inputs.
  • No writes to Claude/Codex/Cursor/MCP or other AI-agent control surfaces were found.
  • Secret handling stores generated credentials locally/host-side and uses env tokens for requested deploy operations.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 37 file(s), 88.7 KB of source, external domains: 127.0.0.1, api.cloudflare.com

Source & flagged code

4 flagged · loading source
dist/init/scaffold-app.jsView file
1import { execFile } from "node:child_process"; L2: import { mkdir, writeFile } from "node:fs/promises";
High
Child Process

Package source references child process execution.

dist/init/scaffold-app.jsView on unpkg · L1
dist/resolve/resolve.jsView file
6export const loadIntent = async (configPath) => { L7: const loaded = (await import(pathToFileURL(resolve(configPath)).href)); L8: if (loaded.intent === undefined) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/resolve/resolve.jsView on unpkg · L6
dist/demo.jsView file
29const komodoPort = config.demo.komodoPort; L30: const GIT_URL = `https://git.${zone}`; L31: const KOMODO_URL = `https://deploy.${zone}`; ... L38: const cliEnv = { L39: ...process.env, L40: DEMO_DOH_ZONE: zone, ... L43: const run = (command, args, env = process.env) => new Promise((resolve, reject) => { L44: const child = spawn(command, args, { cwd: repoRoot, env, stdio: ["ignore", "inherit", "inherit"] }); L45: child.on("error", reject);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/demo.jsView on unpkg · L29
29const komodoPort = config.demo.komodoPort; L30: const GIT_URL = `https://git.${zone}`; L31: const KOMODO_URL = `https://deploy.${zone}`; ... L33: const log = (message) => { L34: process.stdout.write(`${message}\n`); L35: }; ... L43: const run = (command, args, env = process.env) => new Promise((resolve, reject) => { L44: const child = spawn(command, args, { cwd: repoRoot, env, stdio: ["ignore", "inherit", "inherit"] }); L45: child.on("error", reject);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/demo.jsView on unpkg · L29

Findings

4 High3 Medium4 Low
HighChild Processdist/init/scaffold-app.js
HighShell
HighSame File Env Network Executiondist/demo.js
HighCommand Output Exfiltrationdist/demo.js
MediumDynamic Requiredist/resolve/resolve.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings