registry  /  @agent-native/dispatch  /  0.14.0

@agent-native/dispatch@0.14.0

Dispatch — workspace control plane for agent-native apps. Vault, integrations, destinations, scheduled jobs, and cross-app delegation, shipped as a single drop-in package.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No install-time attack surface is established. At authenticated runtime, the package can relay explicit code-agent commands to a configured Agent-Native endpoint; this is a dangerous capability but not covert package behavior.

Static reason
No blocking static signals were detected.
Trigger
An authenticated Dispatch action or a linked Telegram user's `/code` command.
Impact
A permitted caller can request create, continue, approval, denial, or stop operations on a remote code-agent host.
Mechanism
Authenticated remote code-agent command relay.
Rationale
Source inspection found no lifecycle execution, credential harvesting, filesystem mutation, or covert exfiltration. Its authenticated remote code-agent relay is a real dangerous dual-use capability, so warn rather than mark clean or block.
Evidence
package.jsonsrc/actions/send-code-agent-remote-command.tssrc/server/lib/dispatch-remote-commands.tssrc/server/lib/dispatch-integrations.tssrc/server/plugins/agent-chat.ts
Network endpoints3
slack.com/api/users.infoslack.com/api/conversations.infoapi.sendgrid.com/v3/mail/send

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `src/actions/send-code-agent-remote-command.ts` accepts create/continue/approve/stop code-agent commands.
  • `src/server/lib/dispatch-remote-commands.ts` forwards command envelopes to a relay endpoint.
  • Telegram `/code` messages can invoke the relay after linked-owner resolution.
  • `src/server/plugins/agent-chat.ts` exposes package actions to an agent chat plugin.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or uninstall lifecycle hook.
  • No production source imports filesystem, child-process, or VM execution APIs.
  • Relay action requires `getRequestUserEmail()` and rejects unauthenticated requests.
  • Network calls are integration-aligned: Slack identity lookup and SendGrid approval email.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 474 file(s), 2.30 MB of source, external domains: 127.0.0.1, agent-native.invalid, analytics.agent-native.com, api.example.com, api.example.test, api.sendgrid.com, api.usepylon.com, app.example.com, assets.agent-native.com, attacker.example.test, brain.agent-native.com, builder.io, calendar.agent-native.com, cdn.example.com, dispatch.agent-native.com, dispatch.agent-native.test, esm.sh, example.com, forms.example.com, mail.agent-native.com, slack.com, todo.example.com, workspace.example.test

Source & flagged code

1 flagged · loading source
dist/actions/view-screen.jsView file
19const modulePath = `./${name}.js`; L20: const module = (await import(/* @vite-ignore */ modulePath)); L21: if (!module.default)
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/actions/view-screen.jsView on unpkg · L19

Findings

3 Medium4 Low
MediumDynamic Requiredist/actions/view-screen.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings