AI Security Review
scanned 15d ago · by lpm-firewall-aiNo confirmed malicious attack surface is established. The package is a user-invoked remote agent CLI with powerful file/process capabilities that match its documented purpose.
Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
user runs agentlink-client start, service install, upgrade, or selects a backend
Impact
Remote browser sessions can operate on the configured working directory and spawn supported agent CLIs after the user starts the agent.
Mechanism
documented relay-controlled local agent and CLI subprocess bridge
Rationale
Static inspection found high-risk remote-agent functionality, including subprocess execution and file operations, but it is documented, user-invoked, and not activated at install/import time. I found no hidden credential harvesting, destructive payload, stealth persistence, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonREADME.mddist/cli.jsdist/index.jsdist/connection.jsdist/codex.jsdist/service.jsdist/config.js~/.agentlink/config.json~/.agentlink/agent.json~/.agentlink/logs~/.config/systemd/user/agentlink.service/etc/systemd/system/agentlink.service~/Library/LaunchAgents/com.agentlink.agent.plist%APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup/agentlink.bat
Network endpoints5
wss://msclaude.aimsclaude.ailogin.microsoftonline.comlocalhost:8001cdn.jsdelivr.net/npm/marked@17.0.6/marked.min.js
Decision evidence
public snapshotAI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/codex.js runs Codex with --dangerously-bypass-approvals-and-sandbox when user selects Codex backend
- dist/connection.js accepts relay messages to read/write/delete project files and start agent subprocess turns
- dist/service.js writes systemd/launchd/Startup persistence only via explicit service install command
Evidence against
- package.json has no install/postinstall lifecycle hook; only prepublishOnly build script
- README.md describes remote local-agent behavior, subprocess spawning, relay server, and boot service commands
- dist/cli.js activates daemon/service/upgrade only through CLI subcommands, not import/install time
- dist/config.js default relay wss://msclaude.ai and config writes are package-aligned runtime state
- No credential harvesting or hidden exfiltration found beyond user-configured relay/auth flow
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcedist/service.jsView file
1import { execSync } from 'child_process';
L2: import { existsSync, mkdirSync, writeFileSync, unlinkSync } from 'fs';
...
L48: }
L49: return join(homedir(), '.config', 'systemd', 'user', `${SERVICE_NAME}.service`);
L50: }
...
L183: try {
L184: execSync(`launchctl unload "${plistPath}" 2>/dev/null`);
L185: }
...
L215: function getStartupBatPath() {
L216: const startupDir = join(process.env.APPDATA || join(homedir(), 'AppData', 'Roaming'), 'Microsoft', 'Windows', 'Start Menu', 'Programs', 'Startup');
L217: return join(startupDir, `${SERVICE_NAME}.bat`);
...
L264: export function isServiceInstalled() {
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/service.jsView on unpkg · L1dist/cli.jsView file
•matchType = previous_version_dangerous_delta
matchedPackage = @agent-link/agent@0.1.264
matchedIdentity = npm:QGFnZW50LWxpbmsvYWdlbnQ:0.1.264
similarity = 0.894
summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta
This package version adds a dangerous source file absent from the previous stored version.
dist/cli.jsView on unpkgFindings
1 Critical3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/service.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings