AI Security Review
scanned 5h ago · by lpm-firewall-aiNo confirmed malicious attack surface. Network, shell, token storage, and file writes are package-aligned CLI features gated behind explicit user commands, with no lifecycle execution or foreign AI-agent control-surface mutation.
Decision evidence
public snapshot- package.json has no preinstall/install/postinstall lifecycle hooks; only kvs bin points to dist/index.js.
- dist/index.js defines explicit Commander CLI actions; import-time behavior only loads version and saved token.
- dist/commands/init.js runs git/npm commands only when user invokes kvs init, creating a Konversi project scaffold.
- dist/commands/company.js execSync opens an encoded Konversi dashboard URL with stored token on explicit kvs company open.
- dist/konversiApi.js uses package-aligned Konversi API endpoints and optional user-controlled KONVERSI_BASE_URL.
- dist/commands/push.js and dist/commands/pull.js sync local project resources to/from Konversi after command invocation and confirmation/flags.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/commands/company.jsView on unpkg · L18Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/commands/company.jsView on unpkg · L18Package source invokes a package manager install command at runtime.
dist/commands/init.jsView on unpkg · L44This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkg