registry  /  bfi-cli  /  0.1.16

bfi-cli@0.1.16

用友大业财BFI统一命令行工具,支持技能,技能包,元数据,UI元数据等

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `bfi add`, `bfi install`, or equivalent skill-install command.
Impact
Installed skill content may run with the selected AI agent's permissions; no unconsented install-time control-surface mutation is present.
Mechanism
Explicit user-invoked download/clone and copy-or-symlink into agent skill paths.
Rationale
Scanner signals map to the intended CLI functionality: network retrieval, Git subprocesses, and explicit skill installation. Source inspection found no malicious installation hook, autonomous execution, credential exfiltration, or concealed attack chain.
Evidence
package.jsonbin/bfi.mjsdist/cli.mjsdist/_chunks/agents.mjsskills/bfi-skill/SKILL.md
Network endpoints3
bfi.yyuap.com:811skills.shapi.github.com

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli.mjs` implements `add`/`install` commands that install skills into AI-agent directories.
  • `installSkillForAgent` copies or symlinks user-selected skill content into `.agents/skills` or agent-specific skill paths.
  • CLI startup can fetch `/api/v1/public/agents` and merge remote agent path definitions when a token is configured.
  • `dist/cli.mjs` invokes Git/`gh` only for user-requested Git skill sources.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall`; only publisher-side `prepublishOnly`.
  • `bin/bfi.mjs` only enables Node compile cache and imports the CLI.
  • All agent-surface writes are reached through explicit CLI commands; no import-time or install-time mutation was found.
  • No credential harvesting, covert exfiltration, destructive broad filesystem action, or remote code execution chain was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
WildcardDependency
scanned 13 file(s), 495 KB of source, external domains: api.github.com, bfi.yyuap.com, connectors-skills.zapier.com, example.com, github.com, gitlab.com, raw.githubusercontent.com, schemas.agentskills.io, skillhub.example.com, skillhub.skillhub.woa.com, skills.sh

Source & flagged code

4 flagged · loading source
dist/_chunks/libs/simple-git.mjsView file
6import { normalize } from "node:path"; L7: import { spawn } from "child_process"; L8: import { EventEmitter } from "node:events";
High
Child Process

Package source references child process execution.

dist/_chunks/libs/simple-git.mjsView on unpkg · L6
dist/cli.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = bfi-cli@0.1.15 matchedIdentity = npm:YmZpLWNsaQ:0.1.15 similarity = 0.923 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.mjsView on unpkg
17import { Writable } from "stream"; L18: import https from "node:https"; L19: import http from "node:http"; ... L22: import { promisify } from "util"; L23: import { execFile, execSync, spawn, spawnSync } from "child_process"; L24: import { access, chmod, cp, lstat, mkdir, mkdtemp, readFile, readdir, readlink, realpath, rm, stat, symlink, writeFile } from "fs/promises"; ... L28: var import_picocolors = /* @__PURE__ */ __toESM(require_picocolors(), 1); L29: const GIT_HOST = process.env.BFI_GIT_HOST || "github.com"; L30: const GIT_URL = `https://${GIT_HOST}`;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.mjsView on unpkg · L17
17Cross-file remote execution chain: dist/cli.mjs spawns dist/_chunks/libs/simple-git.mjs; helper contains network access plus dynamic code execution. L17: import { Writable } from "stream"; L18: import https from "node:https"; L19: import http from "node:http"; L20: import os$1 from "node:os"; L21: import zlib, { gunzipSync, inflateRawSync } from "node:zlib"; L22: import { promisify } from "util"; L23: import { execFile, execSync, spawn, spawnSync } from "child_process"; L24: import { access, chmod, cp, lstat, mkdir, mkdtemp, readFile, readdir, readlink, realpath, rm, stat, symlink, writeFile } from "fs/promises"; ... L28: var import_picocolors = /* @__PURE__ */ __toESM(require_picocolors(), 1); L29: const GIT_HOST = process.env.BFI_GIT_HOST || "github.com"; L30: const GIT_URL = `https://${GIT_HOST}`; ... L63: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.mjsView on unpkg · L17

Findings

1 Critical4 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.mjs
HighChild Processdist/_chunks/libs/simple-git.mjs
HighShell
HighSame File Env Network Executiondist/cli.mjs
HighCross File Remote Execution Contextdist/cli.mjs
MediumNetwork
MediumEnvironment Vars
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings