AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User explicitly runs the flow CLI with the skills command, or uses CMS/GitHub/image features at runtime
Impact
Can add Flow-specific agent instructions under .agents/skills; runtime CMS features can use configured GitHub tokens for GitHub API calls
Mechanism
explicit agent-skill copy plus package-aligned framework/CMS runtime operations
Rationale
Static inspection does not support the scanner's malicious label: suspicious primitives are framework-aligned and user-invoked, with no install-time mutation or exfiltration chain. Warn rather than block because the explicit CLI skill installation changes an AI-agent control surface.
Evidence
package.jsonsrc/cli.mjsskills/flow/SKILL.mdserver/renderer.mjscms/dist/assets/api-DZ54n4La.jscms/server/utils/github.mjscms/server/utils/github_token.mjsmodules/images/cli-optimize-public.mjs.agents/skillspublicnode_modules/.cache-images.flow/typesserver/server.mjs
Network endpoints1
api.github.com
Decision evidence
public snapshotAI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- src/cli.mjs copies package bundled skills into .agents/skills when user runs flow skills
- skills/*/SKILL.md contains agent instructions, creating an explicit AI-agent extension/control-surface change
- cms/server/utils/github*.mjs reads GH_TOKEN/GH_APP_* and calls https://api.github.com, but only in CMS GitHub features
Evidence against
- package.json has no preinstall/install/postinstall lifecycle scripts
- server/renderer.mjs dynamic import targets local .nitro/vite/services/ssr/index.js runtime artifacts
- cms/dist/assets/api-DZ54n4La.js Unicode hits appear in bundled linkify/emoji parser data, not hidden control-flow code
- modules/images CLI writes image cache/public assets only under invoked project image workflows
- No credential harvesting, broad filesystem scan, persistence, destructive install-time behavior, or exfiltration endpoint found
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
HighEntropyStringsMinifiedObfuscatedProtestwareUrlStrings
Source & flagged code
2 flagged · loading sourceserver/renderer.mjsView file
24try {
L25: const ssrService = await import(
L26: /* @vite-ignore */
Medium
Dynamic Require
Package source references dynamic require/import behavior.
server/renderer.mjsView on unpkg · L24cms/dist/assets/api-DZ54n4La.jsView file
203contains invisible/control Unicode U+200D (zero width joiner)
`,bD=`️`,xD=`<U+200D>`,SD=``,CD=null,wD=null;function TD(e=[]){let t={};cE.groups=t;let n=new cE;CD??=kD(qT),wD??=kD(JT),Q(n,`'`,BE),Q(n,`{`,CE),Q(n,`}`,wE),Q(n,`[`,TE),Q(n,`]`,EE),Q(n,`(`,DE),Q(n,`)`,OE),Q(n,`<`,kE),Q(n,`>`,AE),Q(n,`(`,jE
Critical
Trojan Source Unicode
Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.
cms/dist/assets/api-DZ54n4La.jsView on unpkg · L203Findings
1 Critical5 Medium4 Low
CriticalTrojan Source Unicodecms/dist/assets/api-DZ54n4La.js
MediumDynamic Requireserver/renderer.mjs
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings