registry  /  @modelgov/cli  /  1.7.0

@modelgov/cli@1.7.0

Modelgov CLI for setup, operations, validation, and policy decisions.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a user-invoked Modelgov CLI with local/project setup, diagnostics, and API administration commands.

Static reason
One or more suspicious static signals were detected.
Trigger
Explicit `modelgov` CLI subcommands such as explain, keys, setup/up/down/doctor/smoke/reset.
Impact
Expected CLI side effects only: local service checks, docker compose commands, .env template creation, and optional .env removal with --yes.
Mechanism
Policy/admin CLI making configured API calls and running local Docker/project setup commands.
Rationale
Scanner findings are explained by legitimate CLI operations: local Modelgov API calls, Docker orchestration, browser opening, and project .env handling behind explicit commands. There are no lifecycle hooks, stealth exfiltration, remote payload execution, persistence, destructive unguarded behavior, or broad AI-agent control mutation.
Evidence
package.jsondist/index.js.env.env.production.env.example.env.azure.example.env.local.examplemodelgov.yamlscripts/up-prod.shdocker-compose.simple.ymldocker-compose.dev.full.ymldocker-compose.local.ymldocker-compose.cloud.ymldocker-compose.azure.ymldocker-compose.production.yml
Network endpoints6
localhost:3090localhost:11434/api/tags127.0.0.1:<port>/v1/admin/policy/active127.0.0.1:<port>/v1/chat127.0.0.1:<port>/ready127.0.0.1:<port>/health

Decision evidence

public snapshot
AI called this Clean at 93.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no lifecycle hooks; only a modelgov bin pointing to dist/index.js.
    • Network use is explicit CLI behavior to configured/local Modelgov endpoints, e.g. /v1/explain, /v1/admin/keys, /v1/chat.
    • child_process use runs browser open commands, docker compose, bash scripts, and version checks from user-invoked ops commands.
    • File writes are project-scoped setup/reset actions: copy templates to .env and unlink .env only with reset --yes.
    • Reads of .env/config files support doctor, smoke, and policy evaluation; no code path sends arbitrary env dumps or files to third-party hosts.
    • No eval/vm/dynamic require, native binary loading, install-time execution, persistence, or AI-agent control-surface mutation found.
    Behavioral surface
    Source
    ChildProcessEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1 file(s), 53.8 KB of source, external domains: 127.0.0.1

    Source & flagged code

    3 flagged · loading source
    dist/index.jsView file
    412import { basename, resolve as resolve2 } from "path"; L413: import { spawn as spawn2 } from "child_process"; L414: import { parse as parseYaml } from "yaml";
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L412
    416// src/browserOpen.ts L417: import { spawn } from "child_process"; L418: var DEFAULT_CONSOLE_PORT = 5174; ... L420: const params = new URLSearchParams({ url: apiUrl, token: apiKey }); L421: return `http://localhost:${consolePort}/login?${params.toString()}`; L422: } ... L428: function maybeOpenBrowser(url) { L429: if (process.env.CI || process.env.MODELGOV_NO_OPEN || !process.stdout.isTTY) return false; L430: try {
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/index.jsView on unpkg · L416
    416// src/browserOpen.ts L417: import { spawn } from "child_process"; L418: var DEFAULT_CONSOLE_PORT = 5174; L419: function buildAutoconnectConsoleUrl(apiUrl, apiKey, consolePort = DEFAULT_CONSOLE_PORT) { L420: const params = new URLSearchParams({ url: apiUrl, token: apiKey }); L421: return `http://localhost:${consolePort}/login?${params.toString()}`; L422: } ... L428: function maybeOpenBrowser(url) { L429: if (process.env.CI || process.env.MODELGOV_NO_OPEN || !process.stdout.isTTY) return false; L430: try {
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/index.jsView on unpkg · L416

    Findings

    4 High2 Medium4 Low
    HighChild Processdist/index.js
    HighShell
    HighSame File Env Network Executiondist/index.js
    HighCommand Output Exfiltrationdist/index.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings