registry  /  flowviant  /  0.23.0

flowviant@0.23.0

Run your own Claude Code as headless build agents for Flowviant — on your own credentials. Claims dispatched work, opens PRs, captures review evidence, and routes questions back to you.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `flowviant` with a Flowviant credential or stored login.
Impact
A compromised service/task, unsafe repository config, or agent prompt can cause broad changes, commands, PR actions, and potentially access environment-backed services in the selected repository.
Mechanism
Remote-orchestrated AI agent execution, local shell previews, binary download, and self-update.
Rationale
Source inspection confirms dangerous but package-aligned, user-invoked automation rather than covert install-time malware or unrelated exfiltration. The default permission bypass, secret-bearing preview setup, remote orchestration, and self-updating warrant a warning.
Evidence
package.jsonbin/cli.mjsbin/lib/claude.mjsbin/lib/live.mjsbin/lib/fleet.mjsbin/lib/preview.mjsbin/lib/update.mjsbin/lib/git.mjs~/.flowviant/credentials.json~/.flowviant/bin/gh~/.flowviant/bin/cloudflared.flowviant/preview.json.env.env.local.env.development.env.development.local
Network endpoints3
api.flowviant.com/api/v2api.github.com/repos/cli/cli/releases/latestgithub.com/cloudflare/cloudflared/releases/latest/download/

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/lib/live.mjs` starts a remote-directed Claude session with `bypassPermissions` unless `FLOWVIANT_SAFE=1`.
  • `bin/lib/claude.mjs` similarly uses `--dangerously-skip-permissions` for unattended worker mode.
  • `bin/lib/live.mjs` copies absent `.env*` files into agent worktrees before running previews.
  • `bin/lib/preview.mjs` executes inferred/configured dev commands with `shell:true`, downloads and runs `cloudflared`.
  • `bin/lib/update.mjs` can auto-run `npm install -g flowviant@latest` and re-exec after server version signals.
  • `bin/lib/fleet.mjs` accepts fleet merge jobs and invokes `gh pr merge` after same-repository URL validation.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • The executable is activated through the explicit `flowviant` CLI entrypoint.
  • Network targets and credentials are Flowviant workflow components, not unrelated collection endpoints.
  • `bin/lib/git.mjs` validates server-provided PR URLs, branches, and worktree path segments.
  • No `eval`, `Function`, VM loading, obfuscated payload, or covert credential harvesting was found.
  • README documents autonomous agents, previews, downloads, and `FLOWVIANT_SAFE=1`.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 138 KB of source, external domains: api.flowviant.com, api.github.com, app.flowviant.com, claude.com, cli.github.com, github.com

Source & flagged code

4 flagged · loading source
bin/lib/preflight.mjsView file
6L7: import { execFileSync } from 'node:child_process'; L8: import { ok, warn, info, c } from './ui.mjs';
High
Child Process

Package source references child process execution.

bin/lib/preflight.mjsView on unpkg · L6
bin/lib/preview.mjsView file
334cwd: worktree, L335: shell: true, L336: detached: true,
High
Shell

Package source references shell execution.

bin/lib/preview.mjsView on unpkg · L334
bin/lib/update.mjsView file
4* A daemon runs for hours/days from one launch, so "latest at launch" (even with L5: * `npx flowviant@latest`) doesn't help a process that's already up when a new L6: * version ships. The server reports {latest, min} on every roster poll; the ... L12: L13: import { execFileSync, spawn } from 'node:child_process'; L14: import { fileURLToPath } from 'node:url';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/lib/update.mjsView on unpkg · L4
bin/lib/claude.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = flowviant@0.9.1 matchedIdentity = npm:Zmxvd3ZpYW50:0.9.1 similarity = 0.364 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/lib/claude.mjsView on unpkg

Findings

1 Critical3 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltabin/lib/claude.mjs
HighChild Processbin/lib/preflight.mjs
HighShellbin/lib/preview.mjs
HighRuntime Package Installbin/lib/update.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings