registry  /  @intentic/cli  /  1.71.0

@intentic/cli@1.71.0

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Risky primitives are present but tied to explicit deployment, scaffolding, adoption, tunnel, or demo commands.

Static reason
One or more suspicious static signals were detected.
Trigger
User explicitly invokes intentic commands such as init, resolve, apply, adopt, sandbox-tunnel, host-ssh-tunnel, or directly runs dist/demo.js.
Impact
Can create or modify project deployment files and configured cloud/self-hosted resources as requested by the CLI; no covert install/import behavior identified.
Mechanism
User-invoked deployment orchestration with git, SSH, Docker, local file writes, and Cloudflare/Forgejo APIs.
Rationale
Static inspection found deployment-oriented dual-use primitives, but they are behind explicit user commands and aligned with the package purpose, with no lifecycle hook or covert exfiltration path. The scanner hints are explained by legitimate Cloudflare/Forgejo/SSH/Docker orchestration and demo code.
Evidence
package.jsondist/cli.jsdist/app.jsdist/init/init.jsdist/init/scaffold-app.jsdist/resolve/resolve.jsdist/resolve/resolve.command.jsdist/apply/apply.command.jsdist/adopt/adopt.jsdist/adopt/adopt.command.jsdist/demo.jsdist/lib/cf-tunnel.jsintent/deploy.config.tsintent/package.jsonintent/tsconfig.jsonintent/.gitignoredesired-state/desired-state.jsondesired-state/.env.exampledesired-state/.secrets.jsondesired-state/.last-applied.jsondesired-state/status.jsondesired-state/access.mdapp/package.jsonapp/server.jsapp/Dockerfileapp/.gitignore.demo/state.json
Network endpoints3
api.cloudflare.com/client/v4<user-domain>127.0.0.1:<configured-port>

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/demo.js can run Docker, SSH, git-like CLI flows and Cloudflare tunnel deletion/creation when directly invoked with up/down/clear.
  • dist/init/init.js runs git init and pnpm install during explicit intentic init scaffolding.
  • dist/adopt/adopt.js commits/pushes local intent repos to user Forgejo using provided credentials.
  • dist/resolve/resolve.js dynamically imports the user-supplied deploy config path for resolution.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; bin only points to dist/cli.js.
  • dist/cli.js only dispatches the Stricli command app; no install-time or import-time payload seen in CLI entrypoint.
  • Network use is deployment-aligned: Cloudflare API, user domains, local demo services, Forgejo control-plane operations.
  • Secrets are read from user env/.env or generated stores for deployment workflows; no evidence of covert credential harvesting or third-party exfiltration.
  • Filesystem writes are scoped to explicit CLI outputs such as intent/, desired-state/, app/, .secrets.json, access/status files, or demo state.
  • No AI-agent control-surface mutation, persistence hook, destructive broad filesystem behavior, or remote payload execution found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 37 file(s), 88.8 KB of source, external domains: 127.0.0.1, api.cloudflare.com

Source & flagged code

4 flagged · loading source
dist/init/scaffold-app.jsView file
1import { execFile } from "node:child_process"; L2: import { mkdir, writeFile } from "node:fs/promises";
High
Child Process

Package source references child process execution.

dist/init/scaffold-app.jsView on unpkg · L1
dist/resolve/resolve.jsView file
6export const loadIntent = async (configPath) => { L7: const loaded = (await import(pathToFileURL(resolve(configPath)).href)); L8: if (loaded.intent === undefined) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/resolve/resolve.jsView on unpkg · L6
dist/demo.jsView file
29const komodoPort = config.demo.komodoPort; L30: const GIT_URL = `https://git.${zone}`; L31: const KOMODO_URL = `https://deploy.${zone}`; ... L38: const cliEnv = { L39: ...process.env, L40: DEMO_DOH_ZONE: zone, ... L43: const run = (command, args, env = process.env) => new Promise((resolve, reject) => { L44: const child = spawn(command, args, { cwd: repoRoot, env, stdio: ["ignore", "inherit", "inherit"] }); L45: child.on("error", reject);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/demo.jsView on unpkg · L29
29const komodoPort = config.demo.komodoPort; L30: const GIT_URL = `https://git.${zone}`; L31: const KOMODO_URL = `https://deploy.${zone}`; ... L33: const log = (message) => { L34: process.stdout.write(`${message}\n`); L35: }; ... L43: const run = (command, args, env = process.env) => new Promise((resolve, reject) => { L44: const child = spawn(command, args, { cwd: repoRoot, env, stdio: ["ignore", "inherit", "inherit"] }); L45: child.on("error", reject);
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/demo.jsView on unpkg · L29

Findings

4 High3 Medium4 Low
HighChild Processdist/init/scaffold-app.js
HighShell
HighSame File Env Network Executiondist/demo.js
HighCommand Output Exfiltrationdist/demo.js
MediumDynamic Requiredist/resolve/resolve.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings