registry  /  @konversi/konversi-cli  /  2.12.5

@konversi/konversi-cli@2.12.5

⚠ Under review

Konversi CLI

AI Security Review

scanned 5h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Network, shell, token storage, and file writes are package-aligned CLI features gated behind explicit user commands, with no lifecycle execution or foreign AI-agent control-surface mutation.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit kvs CLI commands such as login, init, pull, push, api call, or company open.
Impact
Can store a Konversi token locally, initialize project files, sync project resources, install declared project dependencies during init, and open the Konversi dashboard when requested.
Mechanism
User-invoked Konversi project/API management CLI.
Rationale
Static source inspection supports a normal Konversi CLI: risky primitives are user-invoked and aligned with login, project initialization, resource sync, and dashboard opening. I found no install-time execution, credential harvesting beyond user-provided Konversi auth storage/use, exfiltration to unrelated hosts, persistence, destructive behavior, or AI-agent control hijack.
Evidence
package.jsondist/index.jsdist/konversiApi.jsdist/utils/token.util.jsdist/utils/config.util.jsdist/commands/init.jsdist/commands/company.jsdist/commands/push.jsdist/commands/pull.jsdist/commands/login.js~/.config/my-cli/config.jsonkonversi.config.json.gitignorescripts/*.tsscripts/*.meta.yamlweb/*.tsxweb/*.meta.yamlcustom-schemas/*.yamlcustom-fields/*.yamluser-actions/*.yaml
Network endpoints2
api.konversi.net/apiapp.konversi.id/authenticate

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks; only kvs bin points to dist/index.js.
    • dist/index.js defines explicit Commander CLI actions; import-time behavior only loads version and saved token.
    • dist/commands/init.js runs git/npm commands only when user invokes kvs init, creating a Konversi project scaffold.
    • dist/commands/company.js execSync opens an encoded Konversi dashboard URL with stored token on explicit kvs company open.
    • dist/konversiApi.js uses package-aligned Konversi API endpoints and optional user-controlled KONVERSI_BASE_URL.
    • dist/commands/push.js and dist/commands/pull.js sync local project resources to/from Konversi after command invocation and confirmation/flags.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 52 file(s), 1.49 MB of source, external domains: api.konversi.net, app.konversi.id, example.com, media.konversi.net

    Source & flagged code

    4 flagged · loading source
    dist/commands/company.jsView file
    18const chalk_1 = __importDefault(require("chalk")); L19: const child_process_1 = require("child_process"); L20: const konversiApi_1 = require("../konversiApi");
    High
    Child Process

    Package source references child process execution.

    dist/commands/company.jsView on unpkg · L18
    18const chalk_1 = __importDefault(require("chalk")); L19: const child_process_1 = require("child_process"); L20: const konversiApi_1 = require("../konversiApi"); ... L74: } L75: const url = `https://app.konversi.id/authenticate?token=${encodeURIComponent(token)}&companyId=${encodeURIComponent(companyId)}`; L76: const startCmd = process.platform === 'win32' ? `start "" "${url}"` : process.platform === 'darwin' ? `open "${url}"` : `xdg-open "${url}"`; L77: (0, child_process_1.execSync)(startCmd);
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    dist/commands/company.jsView on unpkg · L18
    dist/commands/init.jsView file
    44(0, child_process_1.execSync)('npm init -y', { stdio: stdioOpt }); L45: (0, child_process_1.execSync)('npm i @konversi/konversi-client', { stdio: stdioOpt }); L46: (0, child_process_1.execSync)('npm i react-bootstrap', { stdio: stdioOpt });
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    dist/commands/init.jsView on unpkg · L44
    dist/index.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @konversi/konversi-cli@2.12.0 matchedIdentity = npm:QGtvbnZlcnNpL2tvbnZlcnNpLWNsaQ:2.12.0 similarity = 0.760 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/index.jsView on unpkg

    Findings

    1 Critical4 High3 Medium4 Low
    CriticalPrevious Version Dangerous Deltadist/index.js
    HighChild Processdist/commands/company.js
    HighShell
    HighSandbox Evasion Gated Capabilitydist/commands/company.js
    HighRuntime Package Installdist/commands/init.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings