registry  /  @agentproto/driver-agent-cli  /  1.0.0

@agentproto/driver-agent-cli@1.0.0

@agentproto/driver-agent-cli — AIP-45 AGENT-CLI.md reference implementation. Multi-protocol runner that loads an AGENT-CLI.md manifest, spawns the binary, and dispatches turns through an ACP / MCP / proprietary arm. ACP arm delegates to @agentproto/acp; e

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A caller creates and starts an ACP runtime, then sends a turn without a custom permission handler or `permissionHold`.
Impact
A configured external agent can receive approval for filesystem or command tool actions in the selected workspace.
Mechanism
Spawned agent execution with default auto-approved ACP permissions.
Rationale
Source inspection finds no concrete malware chain, but the default permission behavior can authorize a spawned AI agent's requested actions. Treat it as a dangerous capability requiring an upstream warning rather than a publish block.
Evidence
package.jsondist/index.mjsdist/chunk-XTZNZ7MA.mjsdist/manifest/index.mjs<caller cwd>/.mastracode/mcp.json<temporary CLAUDE_CONFIG_DIR>/settings.json

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/chunk-XTZNZ7MA.mjs` defaults ACP permission requests to `autoAllowPermissionHandler`.
  • `dist/chunk-XTZNZ7MA.mjs` selects an `allow_*` permission option for agent tool requests.
  • `dist/chunk-XTZNZ7MA.mjs` spawns the manifest-selected CLI in caller-supplied `cwd`.
  • `dist/chunk-XTZNZ7MA.mjs` advertises ACP filesystem read/write capability to the spawned agent.
Evidence against
  • `package.json` contains no preinstall, install, or postinstall hook.
  • No hard-coded network endpoint, credential exfiltration, shell downloader, or payload fetch is present.
  • Environment keys are forwarded only to the spawned CLI during an explicit runtime start.
  • MCP configuration writes are runtime-only, caller-provided, and restored or removed on session close.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 63.1 KB of source

Source & flagged code

2 flagged · loading source
dist/chunk-XTZNZ7MA.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @agentproto/driver-agent-cli@0.3.0 matchedIdentity = npm:[redacted]:0.3.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunk-XTZNZ7MA.mjsView on unpkg
954try { L955: mod = await import(options.adapter); L956: } catch (err) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-XTZNZ7MA.mjsView on unpkg · L954

Findings

1 High2 Medium3 Low
HighPrevious Version Dangerous Deltadist/chunk-XTZNZ7MA.mjs
MediumDynamic Requiredist/chunk-XTZNZ7MA.mjs
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings