AI Security Review
scanned 3h ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked deployment CLI with broad but purpose-aligned GitHub, AWS, local git, and Melduo API capabilities.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs melduo login, init, deploy, logout, whoami, or interactive CLI commands.
Impact
Can modify the user's repo deploy branch/worktree, GitHub Actions secrets, and AWS CloudFormation/IAM resources after explicit CLI commands and prompts.
Mechanism
deployment automation using GitHub/AWS APIs, local git commands, and Melduo API/LLM proxy
Rationale
Static inspection shows powerful deployment functionality, but it is exposed through the declared melduo CLI commands with no install-time execution or unconsented credential exfiltration. Scanner credential-exfiltration hints are explained by package-aligned GitHub/AWS/Melduo API use and local credential storage.
Evidence
package.jsondist/cli.js.melduo/project.json.melduo/settings.local.json.melduo/cache/analysis.json.melduo/worktree.gitignore
Network endpoints3
api.melduo.comapi.github.comus.i.posthog.com
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/cli.js can read GITHUB_TOKEN or gh auth token for user-invoked GitHub API calls.
- dist/cli.js sends deployment analysis/session data to https://api.melduo.com and telemetry email to PostHog unless disabled.
- dist/cli.js can create GitHub secrets, worktrees/branches, workflows, and AWS IAM/CloudFormation resources during melduo init/deploy.
Evidence against
- package.json has no preinstall/install/postinstall lifecycle hooks; only bin melduo -> dist/cli.js.
- Network and token use is aligned with declared CLI purpose: deploying a GitHub repo to the user's AWS account.
- Credential writes are local Melduo config credentials.json with mode 0600; AWS credentials are used through profiles/fromIni, not harvested for exfiltration.
- Repo/file reads are bounded through user-invoked analyzer/deployer tools and fs jail checks.
- No eval/vm/Function, native binary loading, stealth persistence, destructive install-time behavior, or AI-agent control-surface mutation found.
Behavioral surface
CryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsTelemetryUrlStrings
Source & flagged code
2 flagged · loading sourcedist/cli.jsView file
16try {
L17: const body = await response.json();
L18: if (body.error) code = body.error;
...
L68: try {
L69: response = await fetch(this.url(path16), {
L70: method,
L71: headers: this.headers(),
L72: body: body === void 0 ? void 0 : JSON.stringify(body),
L73: signal: signal ?? null
...
L182: function resolveApiBaseUrl() {
L183: return process.env.MELDUO_API_URL ?? loadGlobalConfig().apiBaseUrl ?? DEFAULT_API_BASE_URL;
L184: }
Critical
Credential Exfiltration
Source appears to send environment or credential material to an external endpoint.
dist/cli.jsView on unpkg · L1616Trigger-reachable chain: manifest.bin -> dist/cli.js
L16: try {
L17: const body = await response.json();
L18: if (body.error) code = body.error;
...
L68: try {
L69: response = await fetch(this.url(path16), {
L70: method,
L71: headers: this.headers(),
L72: body: body === void 0 ? void 0 : JSON.stringify(body),
L73: signal: signal ?? null
...
L182: function resolveApiBaseUrl() {
L183: return process.env.MELDUO_API_URL ?? loadGlobalConfig().apiBaseUrl ?? DEFAULT_API_BASE_URL;
L184: }
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/cli.jsView on unpkg · L16Findings
2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings