registry  /  convex  /  1.42.2

convex@1.42.2

Client for the Convex Cloud

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The CLI can install a remotely resolved `skills@latest` package and Convex agent skills into a user project. It also writes managed AI-assistant guidance files when the user accepts interactive setup or invokes AI-file commands.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs interactive Convex project configuration and accepts the default AI-files prompt, or runs `convex ai-files install`/`update`.
Impact
Can alter project AI-agent behavior and introduce remote skill content into the project; no install-time or stealth execution was confirmed.
Mechanism
First-party agent-extension installation and managed AI-instruction file writes.
Rationale
No lifecycle-based malicious execution, credential exfiltration, destructive behavior, or unrelated payload execution was found in the inspected sources. The remotely resolved skills installation and AI-agent control-surface writes create a real first-party extension lifecycle risk requiring a warning.
Evidence
package.jsonbin/main.jssrc/cli/aiFiles.tssrc/cli/configure.tssrc/cli/lib/aiFiles/index.tssrc/cli/lib/aiFiles/skills.tsAGENTS.mdCLAUDE.md.convex/ai/guidelines.md.convex/ai/ai-files.state.jsonskills-lock.jsonconvex.json
Network endpoints3
version.convex.devauth.convex.devapiauth.convex.dev/user_management/authenticate

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/cli/lib/aiFiles/skills.ts` runs `npx --yes skills@latest add get-convex/agent-skills --copy`.
  • Default skill targets include `claude-code` and `codex`, which can modify AI-agent instruction surfaces.
  • `src/cli/lib/aiFiles/index.ts` installs skills and writes managed `AGENTS.md`, `CLAUDE.md`, and `.convex/ai` files.
  • Interactive project setup prompts for AI files with a default-yes response, then performs installation.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • AI setup is limited to an interactive configuration flow or explicit `convex ai-files` commands.
  • Reviewed login traffic is Convex authentication/version API use; no credential harvesting or unrelated exfiltration was found.
  • Removal targets Convex-managed sections/skills and is exposed through an explicit `ai-files remove` command.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 857 file(s), 5.95 MB of source, external domains: 0.0.0.0, 127.0.0.1, api.convex.dev, api.sync.t3.chat, api.workos.com, apiauth.convex.dev, auth.convex.dev, basic-whale-224.eu-west-1.convex.cloud, clever-otter-890.convex.cloud, convex.dev, convex.my-company.com, convex.test, cross-project-deploy.convex.cloud, dashboard.convex.dev, dashboard.workos.com, docs.convex.dev, dogs.are.great, example.com, example.convex.cloud, example.convex.site, feature-preview-123.convex.cloud, foo-bar-123.convex.cloud, fq-dev-deploy.convex.cloud, fq-prod-deploy.convex.cloud, fully-qualified-123.convex.cloud, github.com, graceful-puffin-456.convex.cloud, happy-animal-123.convex.cloud, happy-animal-123.convex.site, happy-capybara-123.convex.cloud, happy-capybara-123.convex.site, happy-otter-123.convex.cloud, joyful-capybara-123.convex.cloud, joyful-capybara-123.convex.site, joyful-capybara-123.eu-west-1.convex.cloud, joyful-capybara-456.convex.cloud, joyful-capybara-456.convex.site, json-schema.org, news.convex.dev, nicolas-dev-123.convex.cloud, nimble-penguin-234.convex.cloud, other-deploy-123.convex.cloud, other-project-dev.convex.cloud, other-project-prod.convex.cloud, preview.example.com, small-mouse-123.convex.cloud, small-mouse-123.convex.site, swift-squirrel-234.convex.cloud, swift-squirrel-789.convex.cloud, swift-squirrel-789.convex.site
Oversized source lightweight scan
dist/cli.bundle.cjs5.45 MB file, sampled 256 KB
ChildProcessEnvironmentVarsCryptoWebSocketDynamicRequireHighEntropyStringsUrlStringsdogs.are.greatgithub.comjson-schema.orgnews.convex.devwww.example.com

Source & flagged code

9 flagged · loading source
dist/esm/cli/deploymentCreate.jsView file
1"use strict"; L2: import { execSync } from "child_process"; L3: import { Command, Option } from "@commander-js/extra-typings";
High
Child Process

Package source references child process execution.

dist/esm/cli/deploymentCreate.jsView on unpkg · L1
dist/esm/cli/lib/deploy2.jsView file
349stdio: "inherit", L350: shell: true L351: });
High
Shell

Package source references shell execution.

dist/esm/cli/lib/deploy2.jsView on unpkg · L349
dist/esm/cli/lib/utils/utils.jsView file
311export async function logNoDefaultRegionMessage(teamSlug) { L312: const { teamDashboardUrl } = await import("../dashboard.js"); L313: const noDefaultRegionMessage = chalkStderr.gray(
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/esm/cli/lib/utils/utils.jsView on unpkg · L311
src/cli/lib/login.tsView file
26import { hostname } from "os"; L27: import { execSync } from "child_process"; L28: import { promptString, promptYesNo } from "./utils/prompts.js"; ... L35: L36: // Per https://github.com/panva/node-openid-client/tree/main/docs#customizing L37: custom.setHttpOptionsDefaults({ L38: timeout: parseInt(process.env.OPENID_CLIENT_TIMEOUT || "10000"), L39: });
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

src/cli/lib/login.tsView on unpkg · L26
dist/esm/cli/lib/login.jsView file
11import open from "open"; L12: import { chalkStderr } from "chalk"; L13: import { provisionHost } from "./config.js"; ... L26: import { hostname } from "os"; L27: import { execSync } from "child_process"; L28: import { promptString, promptYesNo } from "./utils/prompts.js"; ... L35: custom.setHttpOptionsDefaults({ L36: timeout: parseInt(process.env.OPENID_CLIENT_TIMEOUT || "10000") L37: }); ... L43: try { L44: const resp = await fetch(`${provisionHost}/api/authorize`, { L45: method: "HEAD",
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/esm/cli/lib/login.jsView on unpkg · L11
11import open from "open"; L12: import { chalkStderr } from "chalk"; L13: import { provisionHost } from "./config.js"; ... L26: import { hostname } from "os"; L27: import { execSync } from "child_process"; L28: import { promptString, promptYesNo } from "./utils/prompts.js"; ... L35: custom.setHttpOptionsDefaults({ L36: timeout: parseInt(process.env.OPENID_CLIENT_TIMEOUT || "10000") L37: }); ... L43: try { L44: const resp = await fetch(`${provisionHost}/api/authorize`, { L45: method: "HEAD",
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/esm/cli/lib/login.jsView on unpkg · L11
dist/esm/cli/lib/aiFiles/skills.jsView file
96chalkStderr.yellow( L97: "Could not remove agent skills automatically. Remove them manually with: npx skills remove" L98: ) ... L111: return new Promise((resolve) => { L112: const proc = child_process.spawn( L113: "npx",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/esm/cli/lib/aiFiles/skills.jsView on unpkg · L96
dist/cli.bundle.cjsView file
path = dist/cli.bundle.cjs kind = oversized_source_file sizeBytes = 5718194 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli.bundle.cjsView on unpkg
src/cli/lib/formatEnvValueForDotfile.test.tsView file
116patternName = private_key_rsa severity = critical line = 116 matchedText = "-----BE...--",
Critical
Secret Pattern

RSA private key in src/cli/lib/formatEnvValueForDotfile.test.ts

src/cli/lib/formatEnvValueForDotfile.test.tsView on unpkg · L116

Findings

3 Critical5 High4 Medium4 Low
CriticalSame File Env Network Executionsrc/cli/lib/login.ts
CriticalCredential Exfiltrationdist/esm/cli/lib/login.js
CriticalSecret Patternsrc/cli/lib/formatEnvValueForDotfile.test.ts
HighChild Processdist/esm/cli/deploymentCreate.js
HighShelldist/esm/cli/lib/deploy2.js
HighSandbox Evasion Gated Capabilitydist/esm/cli/lib/login.js
HighRuntime Package Installdist/esm/cli/lib/aiFiles/skills.js
HighOversized Source Filedist/cli.bundle.cjs
MediumDynamic Requiredist/esm/cli/lib/utils/utils.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings