registry  /  @konversi/konversi-cli  /  2.11.0

@konversi/konversi-cli@2.11.0

Konversi CLI

AI Security Review

scanned 22h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. Suspicious primitives are tied to explicit CLI workflows for a Konversi project manager.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User-invoked CLI commands such as `kvs login`, `kvs init`, `kvs pull`, `kvs push`, or `kvs company open`.
Impact
Expected CLI behavior: authenticate to Konversi, create/update local project files, open dashboard, and sync resources with Konversi backend.
Mechanism
Package-aligned API client, project scaffolding, and local sync operations
Rationale
Static inspection shows a conventional Konversi CLI with user-invoked network/API, package install, browser-open, and file-sync behavior; the scanner signals are explained by package-aligned functionality. No unconsented lifecycle execution, credential harvesting beyond explicit login/token storage, exfiltration to unrelated endpoints, persistence, destructive behavior, or AI-agent control hijack was found.
Evidence
package.jsondist/index.jsdist/konversiApi.jsdist/commands/company.jsdist/commands/init.jsdist/commands/pull.jsdist/commands/push.jsdist/utils/token.util.jsdist/utils/config.util.jskonversi.config.json.gitignorescripts/web/custom-schemas/custom-fields/user-actions/
Network endpoints2
api.konversi.net/apiapp.konversi.id/authenticate

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/commands/company.js uses execSync to open a Konversi dashboard URL containing the saved token, but only under user-run `kvs company open`.
  • dist/commands/init.js runs `git init`, `npm init -y`, and installs @konversi/konversi-client/react-bootstrap only under user-run `kvs init`.
  • dist/konversiApi.js supports KONVERSI_BASE_URL override, so API destination can be user-controlled.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • dist/index.js only registers Commander CLI commands and reads saved token; no install-time or import-time exfiltration found.
  • Network calls in dist/konversiApi.js target Konversi API endpoints for login, company, scripts, web components, schema, SQL, and entity CLI functions.
  • Token handling in dist/utils/token.util.js reads KONVERSI_TOKEN or local config and sends it as Authorization only to configured Konversi API calls.
  • Filesystem writes in dist/commands/init.js, pull.js, generate*.js, and config.util.js are user-invoked project/config generation or sync behavior.
  • No eval/vm/Function, native binary loading, persistence, destructive actions, reviewer prompt injection, or AI-agent control-surface writes found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 285 KB of source, external domains: api.konversi.net, app.konversi.id

Source & flagged code

4 flagged · loading source
dist/commands/company.jsView file
18const chalk_1 = __importDefault(require("chalk")); L19: const child_process_1 = require("child_process"); L20: const konversiApi_1 = require("../konversiApi");
High
Child Process

Package source references child process execution.

dist/commands/company.jsView on unpkg · L18
18const chalk_1 = __importDefault(require("chalk")); L19: const child_process_1 = require("child_process"); L20: const konversiApi_1 = require("../konversiApi"); ... L74: } L75: const url = `https://app.konversi.id/authenticate?token=${encodeURIComponent(token)}&companyId=${encodeURIComponent(companyId)}`; L76: const startCmd = process.platform === 'win32' ? `start "" "${url}"` : process.platform === 'darwin' ? `open "${url}"` : `xdg-open "${url}"`; L77: (0, child_process_1.execSync)(startCmd);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands/company.jsView on unpkg · L18
dist/commands/init.jsView file
44(0, child_process_1.execSync)('npm init -y', { stdio: stdioOpt }); L45: (0, child_process_1.execSync)('npm i @konversi/konversi-client', { stdio: stdioOpt }); L46: (0, child_process_1.execSync)('npm i react-bootstrap', { stdio: stdioOpt });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/commands/init.jsView on unpkg · L44
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @konversi/konversi-cli@2.10.2 matchedIdentity = npm:QGtvbnZlcnNpL2tvbnZlcnNpLWNsaQ:2.10.2 similarity = 0.917 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

1 Critical4 High3 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/commands/company.js
HighShell
HighSandbox Evasion Gated Capabilitydist/commands/company.js
HighRuntime Package Installdist/commands/init.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings