registry  /  bfi-cli  /  0.1.10

bfi-cli@0.1.10

用友大业财BFI统一命令行工具,支持技能,技能包,元数据,UI元数据等

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `bfi add`/`bfi skills add` or `bfi skills use --agent`.
Impact
A user-approved install can place untrusted prompt/instruction content into agent-consumed skill paths, creating downstream agent-control risk.
Mechanism
Explicit remote skill acquisition, AI-agent skill-directory writes, and optional local agent launch.
Rationale
This package is not conclusively malicious: it has no install-time hook or confirmed stealth/exfiltration behavior. Its explicit cross-agent skill installation and agent-launch features create a real downstream AI-agent capability risk that merits a warning.
Evidence
package.jsonbin/bfi.mjsdist/cli.mjsdist/_chunks/agents.mjs~/.bfi/config.json~/.bfi/agents-cache.json.agents/skills/<skill>~/.codex/skills/<skill>
Network endpoints5
bfi.yyuap.com:811api.github.comgithub.comgitlab.comskills.sh

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli.mjs` implements `bfi add` to fetch/clone third-party skill sources and install their files.
  • `dist/cli.mjs` maps many AI agents, including Codex and Cursor, to project/global skill directories.
  • `dist/cli.mjs` can launch a selected local agent with downloaded skill content via `skills use --agent`.
  • `dist/_chunks/agents.mjs` fetches and caches remote agent definitions in `~/.bfi/agents-cache.json`.
Evidence against
  • `package.json` has only `prepublishOnly`; no install, postinstall, or preinstall hook.
  • `bin/bfi.mjs` only enables Node compile cache then imports the CLI after the user invokes `bfi`.
  • Agent-directory writes occur through explicit CLI skill-install commands and use path-traversal checks.
  • No package-originated credential harvesting, covert exfiltration, or remote payload execution was confirmed.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 13 file(s), 494 KB of source, external domains: api.github.com, bfi.yyuap.com, connectors-skills.zapier.com, example.com, github.com, gitlab.com, raw.githubusercontent.com, schemas.agentskills.io, skillhub.example.com, skillhub.skillhub.woa.com, skills.sh

Source & flagged code

2 flagged · loading source
dist/_chunks/libs/simple-git.mjsView file
6import { normalize } from "node:path"; L7: import { spawn } from "child_process"; L8: import { EventEmitter } from "node:events";
High
Child Process

Package source references child process execution.

dist/_chunks/libs/simple-git.mjsView on unpkg · L6
dist/cli.mjsView file
17Cross-file remote execution chain: dist/cli.mjs spawns dist/_chunks/libs/simple-git.mjs; helper contains network access plus dynamic code execution. L17: import { Writable } from "stream"; L18: import https from "node:https"; L19: import http from "node:http"; L20: import os$1 from "node:os"; L21: import zlib, { gunzipSync, inflateRawSync } from "node:zlib"; L22: import { promisify } from "util"; L23: import { execFile, execSync, spawn, spawnSync } from "child_process"; L24: import { access, chmod, cp, lstat, mkdir, mkdtemp, readFile, readdir, readlink, realpath, rm, stat, symlink, writeFile } from "fs/promises"; ... L61: } L62: async function isRepoPrivate(owner, repo) { L63: try { ... L295: function countVisualRowsForLines(lines, columns) {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.mjsView on unpkg · L17

Findings

3 High3 Medium5 Low
HighChild Processdist/_chunks/libs/simple-git.mjs
HighShell
HighCross File Remote Execution Contextdist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings