registry  /  @intentic/cli  /  1.64.0

@intentic/cli@1.64.0

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a deployment CLI with explicit commands that scaffold repos, manage generated secrets, call configured providers, and run demo infrastructure.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit user CLI commands such as intentic init, resolve, apply, adopt, or demo
Impact
Can modify local project deployment files and configured remote infrastructure when the user runs commands with credentials.
Mechanism
user-invoked deployment orchestration and scaffolding
Rationale
Suspicious primitives are consistent with a deployment automation CLI and are activated by explicit user commands, not install-time or import-time behavior. I found no unconsented lifecycle mutation, credential exfiltration, persistence, destructive action, or foreign AI-agent control hijack.
Evidence
package.jsondist/cli.jsdist/app.jsdist/init/init.jsdist/init/scaffold-app.jsdist/resolve/resolve.jsdist/resolve/resolve.command.jsdist/apply/apply.command.jsdist/adopt/adopt.command.jsdist/demo.jsdist/secrets/secret-store.jsintent/deploy.config.tsintent/package.jsonintent/.forgejo/workflows/resolve.yamldesired-state/desired-state.jsondesired-state/.env.exampledesired-state/.secrets.jsondesired-state/status.jsondesired-state/access.mddesired-state/.forgejo/workflows/apply.yamlapp/package.jsonapp/server.jsapp/Dockerfile/opt/intentic/secrets.json
Network endpoints3
api.cloudflare.com/client/v4/accounts/.../cfd_tunnel/.../connections<configured-forgejo-domain><user-configured-discord-webhook>

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/init/init.js shells out to git/pnpm and writes project scaffolding when init is invoked.
  • dist/demo.js runs Docker/SSH/Cloudflare demo automation and reads a Cloudflare token from config/env.
  • dist/apply/apply.command.js can POST a reconcile summary to a user-configured Discord webhook.
Evidence against
  • package.json has no npm lifecycle hooks; install/import does not run package code.
  • bin dist/cli.js only dispatches explicit stricli commands.
  • dist/resolve/resolve.js imports a user config path and calls Cloudflare only during resolve.
  • File writes are package-aligned: intent, desired-state, app scaffolds, .secrets.json/status/access outputs.
  • No AI-agent control-surface writes, persistence hooks, credential harvesting, or hardcoded exfiltration endpoint found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 37 file(s), 88.8 KB of source, external domains: 127.0.0.1, api.cloudflare.com

Source & flagged code

4 flagged · loading source
dist/init/scaffold-app.jsView file
1import { execFile } from "node:child_process"; L2: import { mkdir, writeFile } from "node:fs/promises";
High
Child Process

Package source references child process execution.

dist/init/scaffold-app.jsView on unpkg · L1
dist/resolve/resolve.jsView file
6export const loadIntent = async (configPath) => { L7: const loaded = (await import(pathToFileURL(resolve(configPath)).href)); L8: if (loaded.intent === undefined) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/resolve/resolve.jsView on unpkg · L6
dist/demo.jsView file
29const komodoPort = config.demo.komodoPort; L30: const GIT_URL = `https://git.${zone}`; L31: const KOMODO_URL = `https://deploy.${zone}`; ... L38: const cliEnv = { L39: ...process.env, L40: DEMO_DOH_ZONE: zone, ... L43: const run = (command, args, env = process.env) => new Promise((resolve, reject) => { L44: const child = spawn(command, args, { cwd: repoRoot, env, stdio: ["ignore", "inherit", "inherit"] }); L45: child.on("error", reject);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/demo.jsView on unpkg · L29
29const komodoPort = config.demo.komodoPort; L30: const GIT_URL = `https://git.${zone}`; L31: const KOMODO_URL = `https://deploy.${zone}`; ... L33: const log = (message) => { L34: process.stdout.write(`${message}\n`); L35: }; ... L43: const run = (command, args, env = process.env) => new Promise((resolve, reject) => { L44: const child = spawn(command, args, { cwd: repoRoot, env, stdio: ["ignore", "inherit", "inherit"] }); L45: child.on("error", reject);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/demo.jsView on unpkg · L29

Findings

4 High3 Medium4 Low
HighChild Processdist/init/scaffold-app.js
HighShell
HighSame File Env Network Executiondist/demo.js
HighCommand Output Exfiltrationdist/demo.js
MediumDynamic Requiredist/resolve/resolve.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings