registry  /  @addai/entity-runtime  /  0.2.42

@addai/entity-runtime@0.2.42

Daemon that pairs a machine with your +Ai account and runs Claude / Codex / Kimi / Gemini agents on its behalf. Reachable via Supabase from Vault, Entity Studio, or any other +Ai surface.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the `entities-runtime` CLI and completes pairing.
Impact
A paired runtime can execute requested agent work with elevated Claude permission handling; this is an intentional but high-risk capability.
Mechanism
Remote-request-driven AI agent execution with Claude permission-state mutation.
Rationale
No concrete malicious install-time behavior, credential exfiltration chain, or concealed payload was found. The explicit runtime mutation of Claude permission state and remote agent execution warrant a warning rather than a block.
Evidence
package.jsonscripts/fix-pty-helper.jsdist/index.jsdist/claude-config.jsdist/claude-spawn.jsdist/session-runner.jsnode_modules/node-pty/prebuilds/*/spawn-helper~/.claude/settings.json~/.claude.json~/.entities-runtime/state.json<session-cwd>/.mcp.json<session-cwd>/.claude/skills/SKILL.md
Network endpoints4
syhzpqqvrplaqdipcymw.supabase.covault.add.ai/add/entityaddai-flows-backend-29522465016.europe-west2.run.appsyhzpqqvrplaqdipcymw.supabase.co/functions/v1/entity-self-improve

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` calls `ensureBypassPermissionsAccepted()` when the daemon starts.
  • `dist/claude-config.js` sets Claude's global bypass-warning acceptance and project trust entries.
  • `dist/session-runner.js` polls paired service requests and launches Claude/Codex/Kimi/Gemini sessions.
  • `dist/claude-spawn.js` passes remote request options to a PTY-launched Claude process.
  • `dist/install.js` writes request-provided MCP and skill configuration into session workspaces.
Evidence against
  • `package.json` postinstall only chmods `node-pty`'s local spawn helper.
  • No install hook writes AI-agent configuration or contacts a network endpoint.
  • CLI invokes runtime startup explicitly; importing `dist/index.js` does not start it.
  • No eval/vm/dynamic loader or hidden payload mechanism was found.
  • Network calls are package-aligned pairing, RPC, heartbeat, and request-flow endpoints.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 35 file(s), 280 KB of source, external domains: addai-flows-backend-29522465016.europe-west2.run.app, syhzpqqvrplaqdipcymw.supabase.co, vault.add.ai

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/fix-pty-helper.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts/smoke-test.shView file
path = scripts/smoke-test.sh kind = build_helper sizeBytes = 2483 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/smoke-test.shView on unpkg

Findings

1 High4 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/smoke-test.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings