AI Security Review
scanned 22h ago · by lpm-firewall-aiNo confirmed malicious attack surface was established by source inspection. Suspicious primitives are tied to explicit CLI workflows for a Konversi project manager.
Decision evidence
public snapshot- dist/commands/company.js uses execSync to open a Konversi dashboard URL containing the saved token, but only under user-run `kvs company open`.
- dist/commands/init.js runs `git init`, `npm init -y`, and installs @konversi/konversi-client/react-bootstrap only under user-run `kvs init`.
- dist/konversiApi.js supports KONVERSI_BASE_URL override, so API destination can be user-controlled.
- package.json has no install/preinstall/postinstall lifecycle hooks.
- dist/index.js only registers Commander CLI commands and reads saved token; no install-time or import-time exfiltration found.
- Network calls in dist/konversiApi.js target Konversi API endpoints for login, company, scripts, web components, schema, SQL, and entity CLI functions.
- Token handling in dist/utils/token.util.js reads KONVERSI_TOKEN or local config and sends it as Authorization only to configured Konversi API calls.
- Filesystem writes in dist/commands/init.js, pull.js, generate*.js, and config.util.js are user-invoked project/config generation or sync behavior.
- No eval/vm/Function, native binary loading, persistence, destructive actions, reviewer prompt injection, or AI-agent control-surface writes found.
Source & flagged code
4 flagged · loading sourcePackage source references child process execution.
dist/commands/company.jsView on unpkg · L18Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
dist/commands/company.jsView on unpkg · L18Package source invokes a package manager install command at runtime.
dist/commands/init.jsView on unpkg · L44This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/index.jsView on unpkg