registry  /  @agentdock/daemon  /  0.0.54

@agentdock/daemon@0.0.54

PC daemon + CLI for AgentDock — ACP abstraction, TransportHandler, process management

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a remote AI-agent daemon with explicit pairing, authenticated local control, optional autostart, and server-directed session management that match the package purpose.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the agentdock CLI, pairs/configures a server, or starts/restarts the daemon.
Impact
User-authorized remote control of AI agent sessions, telemetry/activity sync, and optional daemon persistence; no unconsented install-time execution observed.
Mechanism
authenticated remote daemon and agent session orchestration
Rationale
Static inspection shows powerful daemon, persistence, network, and shell-spawn primitives, but they are activated by user CLI/pairing flows and align with the package's stated remote AI-agent console purpose. I found no lifecycle execution, hidden credential harvesting, unexpected exfiltration endpoint, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/cli.jsdist/ensureDaemon.jsdist/daemonEntry.jsdist/daemonLoop.jsdist/autostart.jsdist/daemonRpcHandler.jsdist/spawnConsole.jsdist/rpc/controlServer.jsdist/brand.js~/.agentdock/credentials.json~/.agentdock/daemon.state.json~/.agentdock/tmp/hooks/session-hook-<pid>.json~/Library/LaunchAgents/com.yungujia.agentdock.daemon.plist~/.config/systemd/user/agentdock-daemon.serviceHKCU\Software\Microsoft\Windows\CurrentVersion\Run
Network endpoints4
agentdock-api.yungujia.comapp-api.yark.aiccpark-api.yungujia.com127.0.0.1:<daemon-port>

Decision evidence

public snapshot
AI called this Clean at 83.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/autostart.js can create LaunchAgent/systemd/Run-key persistence after CLI start/restart when credentials exist.
  • dist/daemonRpcHandler.js exposes authenticated server RPCs to spawn/stop agent sessions and trigger upgrades.
  • dist/spawnConsole.js can run server-provided startupScripts before launching a session.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • dist/ensureDaemon.js only spawns local dist/daemonEntry.js on user CLI use, not import/install time.
  • dist/rpc/controlServer.js binds local HTTP control to 127.0.0.1 and requires a random bearer token from daemon state.
  • dist/brand.js endpoints are package-aligned AgentDock/YarkAI/CCPark APIs, not hidden exfiltration hosts.
  • dist/pairing/credentials.js stores pairing credentials locally with mode 0600; no broad credential harvesting found.
  • History/activity uploads in dist/historySyncService.js and dist/activityUploader.js are tied to paired server features/settings.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 161 file(s), 351 KB of source, external domains: 127.0.0.1, agentdock-api.yungujia.com, app-api.yark.ai, ccpark-api.yungujia.com, claude.ai, docs.github.com, opencode.ai, raw.githubusercontent.com, registry.npmjs.org, www.apple.com

Source & flagged code

5 flagged · loading source
dist/processTree.jsView file
1"use strict";import{exec as t,execSync as c}from"node:child_process";const r=process.platform==="win32";export function killProcessTree(e){r&&e.pid?t(`taskkill /T /F /PID ${e.pid}`... L2: `)}):e.kill("SIGTERM")}export function killProcessTreeByPid(e){r?t(`taskkill /T /F /PID ${e}`,s=>{s&&process.stderr.write(`taskkill failed for PID ${e}: ${s.message}
High
Child Process

Package source references child process execution.

dist/processTree.jsView on unpkg · L1
dist/subagentIds.jsView file
1"use strict";import{createHash as t}from"node:crypto";export function makeStableSubagentId(e){return`c${t("sha1").update(e).digest("hex").slice(0,23)}`}
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/subagentIds.jsView on unpkg · L1
dist/autostart.jsView file
1"use strict";import{execSync as o}from"node:child_process";import i from"node:fs";import a from"node:path";import{fileURLToPath as g}from"node:url";import{isEnterprise as y}from"@a... L2: `)+` ... L4: `)+` L5: `}export function buildRegCommand(e,t,n){const s=(n?`"${e}" "--import" "tsx" "${t}"`:`"${e}" "${t}"`).replace(/"/g,'\\"');return`reg add HKCU\\Software\\Microsoft\\Windows\\Current...
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/autostart.jsView on unpkg · L1
dist/ensureDaemon.jsView file
1"use strict";import{spawn as w}from"node:child_process";import c from"node:path";import{fileURLToPath as y}from"node:url";import{readDaemonState as m}from"./state.js";import{getSta...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/ensureDaemon.jsView on unpkg · L1
1"use strict";import{spawn as w}from"node:child_process";import c from"node:path";import{fileURLToPath as y}from"node:url";import{readDaemonState as m}from"./state.js";import{getSta...
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/ensureDaemon.jsView on unpkg · L1

Findings

3 High3 Medium6 Low
HighChild Processdist/processTree.js
HighSame File Env Network Executiondist/ensureDaemon.js
HighCommand Output Exfiltrationdist/ensureDaemon.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/autostart.js
LowScripts Present
LowWeak Cryptodist/subagentIds.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License