registry  /  @agent-link/agent  /  0.1.265

@agent-link/agent@0.1.265

AgentLink local agent CLI

AI Security Review

scanned 15d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is a user-invoked remote agent CLI with powerful file/process capabilities that match its documented purpose.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
user runs agentlink-client start, service install, upgrade, or selects a backend
Impact
Remote browser sessions can operate on the configured working directory and spawn supported agent CLIs after the user starts the agent.
Mechanism
documented relay-controlled local agent and CLI subprocess bridge
Rationale
Static inspection found high-risk remote-agent functionality, including subprocess execution and file operations, but it is documented, user-invoked, and not activated at install/import time. I found no hidden credential harvesting, destructive payload, stealth persistence, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonREADME.mddist/cli.jsdist/index.jsdist/connection.jsdist/codex.jsdist/service.jsdist/config.js~/.agentlink/config.json~/.agentlink/agent.json~/.agentlink/logs~/.config/systemd/user/agentlink.service/etc/systemd/system/agentlink.service~/Library/LaunchAgents/com.agentlink.agent.plist%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/agentlink.bat
Network endpoints5
wss://msclaude.aimsclaude.ailogin.microsoftonline.comlocalhost:8001cdn.jsdelivr.net/npm/marked@17.0.6/marked.min.js

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/codex.js runs Codex with --dangerously-bypass-approvals-and-sandbox when user selects Codex backend
  • dist/connection.js accepts relay messages to read/write/delete project files and start agent subprocess turns
  • dist/service.js writes systemd/launchd/Startup persistence only via explicit service install command
Evidence against
  • package.json has no install/postinstall lifecycle hook; only prepublishOnly build script
  • README.md describes remote local-agent behavior, subprocess spawning, relay server, and boot service commands
  • dist/cli.js activates daemon/service/upgrade only through CLI subcommands, not import/install time
  • dist/config.js default relay wss://msclaude.ai and config writes are package-aligned runtime state
  • No credential harvesting or hidden exfiltration found beyond user-configured relay/auth flow
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 49 file(s), 650 KB of source, external domains: cdn.jsdelivr.net, login.microsoftonline.com, msclaude.ai, www.apple.com

Source & flagged code

2 flagged · loading source
dist/service.jsView file
1import { execSync } from 'child_process'; L2: import { existsSync, mkdirSync, writeFileSync, unlinkSync } from 'fs'; ... L48: } L49: return join(homedir(), '.config', 'systemd', 'user', `${SERVICE_NAME}.service`); L50: } ... L183: try { L184: execSync(`launchctl unload "${plistPath}" 2>/dev/null`); L185: } ... L215: function getStartupBatPath() { L216: const startupDir = join(process.env.APPDATA || join(homedir(), 'AppData', 'Roaming'), 'Microsoft', 'Windows', 'Start Menu', 'Programs', 'Startup'); L217: return join(startupDir, `${SERVICE_NAME}.bat`); ... L264: export function isServiceInstalled() {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/service.jsView on unpkg · L1
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @agent-link/agent@0.1.264 matchedIdentity = npm:QGFnZW50LWxpbmsvYWdlbnQ:0.1.264 similarity = 0.894 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli.jsView on unpkg

Findings

1 Critical3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/service.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings