registry  /  @agent-native/recap-cli  /  0.4.1

@agent-native/recap-cli@0.4.1

Dependency-light PR visual recap CLI for Agent-Native workflows.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time malicious behavior is established. An explicit setup command can create a persistent GitHub Actions PR workflow that runs external coding agents with configured credentials and publishes recaps.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `agent-native recap setup`, commits the generated workflow, then a pull request triggers it.
Impact
PR diffs, agent outputs, and configured service tokens are processed by the selected AI/Plan/GitHub integrations; unsafe agent execution increases CI risk.
Mechanism
User-invoked CI workflow setup with privileged AI-agent execution.
Rationale
Source inspection disproves the scanner's install-time credential-exfiltration claim, but confirms an explicit persistent AI-agent CI setup with an unsafe execution mode. Flag as warn for agent-extension lifecycle risk, not block as malicious.
Evidence
package.jsondist/cli.jsdist/recap.jsdist/pr-visual-recap-workflow.jsdist/plan-publish-store.js.github/workflows/pr-visual-recap.ymlrecap-source.jsonrecap.png
Network endpoints2
plan.agent-native.comapi.github.com

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/recap.js` exposes explicit `recap setup` that writes `.github/workflows/pr-visual-recap.yml`.
  • Bundled workflow invokes Codex with `--dangerously-bypass-approvals-and-sandbox`.
  • Workflow passes configured Plan/AI credentials into PR automation and publishes recap artifacts.
  • `dist/recap.js` uses `gh`, GitHub REST, and authenticated Plan API calls for setup and recap operations.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare hook.
  • `dist/cli.js` only dispatches the user-invoked `recap` CLI command.
  • No import-time network, shell, file-write, or credential-harvesting behavior found.
  • Workflow uses `pull_request`, not `pull_request_target`, and includes fork/trust and secret-scan gates.
  • Plan API calls use an explicit bearer token and package-aligned `plan.agent-native.com` endpoint.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 308 KB of source, external domains: api.github.com, github.com, plan.agent-native.com, provider.example

Source & flagged code

2 flagged · loading source
dist/pr-visual-recap-workflow.jsView file
1/** Canonical PR Visual Recap workflow bundled by the CLI installer. */ L2: export const PR_VISUAL_RECAP_WORKFLOW_YML = 'name: PR Visual Recap\n\n# Visual code review: a coding agent runs the repo\'s visual-recap skill over the\n# PR diff, publishes a plan... L3: //# sourceMappingURL=pr-visual-recap-workflow.js.map
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/pr-visual-recap-workflow.jsView on unpkg · L1
1Trigger-reachable chain: manifest.exports -> dist/index.js -> dist/pr-visual-recap-workflow.js L1: /** Canonical PR Visual Recap workflow bundled by the CLI installer. */ L2: export const PR_VISUAL_RECAP_WORKFLOW_YML = 'name: PR Visual Recap\n\n# Visual code review: a coding agent runs the repo\'s visual-recap skill over the\n# PR diff, publishes a plan... L3: //# sourceMappingURL=pr-visual-recap-workflow.js.map
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/pr-visual-recap-workflow.jsView on unpkg · L1

Findings

2 Critical3 Medium4 Low
CriticalCredential Exfiltrationdist/pr-visual-recap-workflow.js
CriticalTrigger Reachable Dangerous Capabilitydist/pr-visual-recap-workflow.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings