registry  /  @agent-relay/factory  /  0.1.19

@agent-relay/factory@0.1.19

Agent factory — triage, dispatch, merge-gate for relayfile-driven workspaces

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the `factory` CLI or configures a factory node/workflow.
Impact
Authorized use can execute configured agent tasks and workflow files in advertised checkout paths.
Mechanism
Configured agent dispatch, workflow execution, relay mount management, and stale-process reaping.
Rationale
No concrete malicious behavior was found, but the package deliberately exposes powerful AI-agent and workflow execution capabilities. Flag as warn for dangerous dual-use review rather than block.
Evidence
package.jsonbin/factory.mjsdist/cli/fleet.jsdist/node/factory-node.jsdist/mount/local-mount-preflight.jsdist/orchestrator/reaper.jsscripts/factory-canary.sh

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/node/factory-node.js` can spawn Claude/Codex agents and run configured TS/TSX/Python workflows.
  • `dist/orchestrator/reaper.js` can terminate registered stale agent processes with SIGTERM/SIGKILL.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `bin/factory.mjs` dynamically imports only its fixed local `dist/cli/fleet.js` entrypoint.
  • `dist/mount/local-mount-preflight.js` launches relayfile only during explicit factory runtime commands.
  • `dist/node/factory-node.js` restricts supplied checkout paths to configured clone paths or cloneRoot.
  • No source evidence of credential harvesting, hidden remote payload loading, eval/vm execution, or hard-coded exfiltration endpoint.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 63 file(s), 615 KB of source, external domains: api.github.com, github.com

Source & flagged code

3 flagged · loading source
bin/factory.mjsView file
5const entry = join(here, '..', 'dist', 'cli', 'fleet.js') L6: const mod = await import(pathToFileURL(entry).href) L7: await mod.main(process.argv.slice(2))
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/factory.mjsView on unpkg · L5
scripts/factory-canary.shView file
path = scripts/factory-canary.sh kind = build_helper sizeBytes = 4333 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/factory-canary.shView on unpkg
dist/cli/fleet.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @agent-relay/factory@0.1.18 matchedIdentity = npm:QGFnZW50LXJlbGF5L2ZhY3Rvcnk:0.1.18 similarity = 0.889 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/fleet.jsView on unpkg

Findings

1 High4 Medium4 Low
HighPrevious Version Dangerous Deltadist/cli/fleet.js
MediumDynamic Requirebin/factory.mjs
MediumEnvironment Vars
MediumShips Build Helperscripts/factory-canary.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings