AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. Risky primitives are aligned with an infrastructure deployment CLI and are activated by explicit commands, not npm install or import.
Decision evidence
public snapshot- package.json has no npm lifecycle hooks; only bin points to dist/cli.js.
- dist/cli.js only starts the Stricli CLI; no install/import-time side effects observed.
- dist/init/init.js and dist/init/scaffold-app.js run git/pnpm and write scaffold files only when user invokes init.
- dist/resolve/resolve.js imports a user-specified config and calls Cloudflare APIs using user env secrets for zone discovery.
- dist/apply/apply.command.js reconciles user-provided desired-state artifacts and optionally posts a non-secret status summary to a configured webhook.
- dist/demo.js Docker/Cloudflare/SSH actions are explicit demo up/down/clear behavior, not automatic package execution.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/init/scaffold-app.jsView on unpkg · L1Package source references dynamic require/import behavior.
dist/resolve/resolve.jsView on unpkg · L6A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/demo.jsView on unpkg · L29Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/demo.jsView on unpkg · L29