AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The risky primitives are part of a user-invoked CLI/MCP tool for building, uploading, and managing static shares.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs plani commands such as share, link, login, or mcp.
Impact
User-selected files may be uploaded to plani.sh; link may execute the local project's build script by user command.
Mechanism
package-aligned static-site sharing CLI with auth and optional build execution
Rationale
Static inspection shows a normal package-aligned sharing CLI: network, environment, file reads, build execution, and MCP behavior are user-invoked and explained by the product. There is no install-time execution or hidden exfiltration/persistence/control-surface mutation.
Evidence
package.jsondist/index.js~/.plani/auth.jsonuser-supplied share pathproject dist/build/out output directoriesnext.config.tsnext.config.mjsnext.config.jsapp metadata files named sitemap/robots/manifest/opengraph-image/twitter-image/icon
Network endpoints9
plani.shplani.sh/api/uploadplani.sh/api/meplani.sh/api/deploymentsplani.sh/api/checkoutplani.sh/api/subscriptionplani.sh/api/subscription/cancelplani.sh/api/preflightplani.sh/auth/github
Decision evidence
public snapshotAI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.js reads user-selected files/directories and uploads base64 content to plani.sh when share/link/MCP tool is invoked.
- dist/index.js can run '<package-manager> run build' for the link command unless --no-build is used.
- dist/index.js temporarily writes Next.js config/app metadata files during link, then restores backups.
Evidence against
- package.json has no install/preinstall/postinstall hook; only prepublishOnly build.
- Network calls are to package-aligned https://plani.sh API endpoints for auth, upload, deployments, checkout, subscription, and preflight.
- Credential access is limited to package-owned ~/.plani/auth.json for login token storage/use/logout.
- No eval/vm/Function, dynamic remote code loading, native binary loading, persistence, or credential harvesting found.
- MCP mode exposes package-aligned share/list/delete/version tools only after explicit 'plani mcp' runtime invocation.
Behavioral surface
EnvironmentVarsNetwork
HighEntropyStringsUrlStrings
CopyleftLicense
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
1#!/usr/bin/env node
L2: import{resolve as D,basename as Qe}from"path";import{existsSync as fe,statSync as et,readFileSync as tt}from"fs";import{randomBytes as nt}from"crypto";import{createInterface as ot}...
L3: `:` Open this URL in your browser:
High
Same File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L11#!/usr/bin/env node
L2: import{resolve as D,basename as Qe}from"path";import{existsSync as fe,statSync as et,readFileSync as tt}from"fs";import{randomBytes as nt}from"crypto";import{createInterface as ot}...
L3: `:` Open this URL in your browser:
...
L5: ${l}
L6: `)}),setTimeout(()=>{r||(i.close(),e(new Error("Login timed out \u2014 no response within 2 minutes.")))},12e4)})}function K(){try{return I(x)?(Le(x),!0):!1}catch{return!1}}async f...
L7: `),e="";process.stdin.setEncoding("utf8"),process.stdin.on("data",async n=>{e+=n;let r;for(;(r=e.indexOf(`
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L1Findings
2 High2 Medium5 Low
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License