AI Security Review
scanned 4h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `flow skills`; other network/file actions require runtime CMS/image/framework use.
Impact
Potential AI-agent behavior extension for the current project; no unconsented install-time mutation or exfiltration found.
Mechanism
explicit package-owned agent skill copy and framework runtime services
Rationale
Source inspection does not support the scanner's malicious verdict: there is no lifecycle hook, covert payload, credential harvesting, or unconsented broad AI-agent control mutation. The explicit `.agents/skills` setup is a real but user-invoked agent extension risk, so warn rather than block.
Evidence
package.jsonsrc/cli.mjsskills/*/SKILL.mdserver/renderer.mjsmodules/images/cli.mjsmodules/images/cli-optimize-public.mjsmodules/images/cli-pregenerate.mjscms/server/utils/github.mjscms/server/utils/github_token.mjsserver/routes/api/r2/sign.post.mjsmodules/strapi/runtime/client.mjs.agents/skillspublic/node_modules/.cache-imagesshared/seo_images
Network endpoints6
api.github.comgithub.com/apps/ungh-appcdnjs.cloudflare.com/ajax/libs/lazysizes/5.3.2/lazysizes.min.js{accountId}.r2.cloudflarestorage.comlocalhost:1337localhost:3000
Decision evidence
public snapshotAI called this Suspicious at 82.0% confidence as Benign with medium false-positive risk.
Evidence for warning
- src/cli.mjs explicit `flow skills` command copies bundled `skills/` into project `.agents/skills`.
- Bundled skills are AI-agent instructions, creating an agent extension surface when user-invoked.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts.
- Main/exported files are Flow/Vite/Nitro/Vue runtime entrypoints, not install-time code.
- server/renderer.mjs dynamically imports local Nitro/Vite SSR service paths under the project, aligned with framework rendering.
- modules/images CLI writes/optimizes project `public/` images only when the user runs the bin.
- Network use is package-aligned CMS/Strapi/GitHub/R2 runtime functionality, not covert exfiltration.
- Inspected skills are Spanish Flow framework documentation/instructions; no prompt injection or credential theft found.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Source & flagged code
2 flagged · loading sourceserver/renderer.mjsView file
24try {
L25: const ssrService = await import(
L26: /* @vite-ignore */
Medium
Dynamic Require
Package source references dynamic require/import behavior.
server/renderer.mjsView on unpkg · L24cms/dist/assets/api-DZ54n4La.jsView file
203contains invisible/control Unicode U+200D (zero width joiner)
`,bD=`️`,xD=`<U+200D>`,SD=``,CD=null,wD=null;function TD(e=[]){let t={};cE.groups=t;let n=new cE;CD??=kD(qT),wD??=kD(JT),Q(n,`'`,BE),Q(n,`{`,CE),Q(n,`}`,wE),Q(n,`[`,TE),Q(n,`]`,EE),Q(n,`(`,DE),Q(n,`)`,OE),Q(n,`<`,kE),Q(n,`>`,AE),Q(n,`(`,jE
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
cms/dist/assets/api-DZ54n4La.jsView on unpkg · L203Findings
1 Critical5 Medium4 Low
CriticalTrojan Source Unicodecms/dist/assets/api-DZ54n4La.js
MediumDynamic Requireserver/renderer.mjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings