registry  /  @agentproto/driver-agent-cli  /  0.3.0

@agentproto/driver-agent-cli@0.3.0

@agentproto/driver-agent-cli — AIP-45 AGENT-CLI.md reference implementation. Multi-protocol runner that loads an AGENT-CLI.md manifest, spawns the binary, and dispatches turns through an ACP / MCP / proprietary arm. ACP arm delegates to @agentproto/acp; e

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. Runtime-only process spawning, API-key forwarding, and optional MCP configuration are aligned with an agent-CLI driver and require caller-supplied runtime definitions or options.

Static reason
No blocking static signals were detected.
Trigger
Caller imports the library and starts a runtime/session with a manifest definition.
Impact
The invoked external CLI receives configured arguments, environment, prompts, and optional MCP server definitions; this package itself does not exfiltrate or contact endpoints.
Mechanism
Caller-configured agent CLI subprocess wrapper with optional temporary MCP configuration.
Rationale
The package is a runtime library for launching explicitly configured agent CLIs, not an install-time payload. Its sensitive primitives are caller-triggered and package-aligned, with no concrete malicious chain in the inspected source.
Evidence
package.jsondist/index.mjsdist/chunk-KHHRPQ2Q.mjs

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/index.mjs` forwards selected provider API-key environment variables to a runtime-started CLI.
  • `dist/chunk-KHHRPQ2Q.mjs` spawns the manifest-selected binary and dynamically imports a manifest-selected proprietary adapter.
  • `dist/chunk-KHHRPQ2Q.mjs` can temporarily write `<cwd>/.mastracode/mcp.json` only for explicit Mastra MCP runtime configuration.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or executable bin hook.
  • Entrypoints only define/export helpers at import time; no install-time or import-time process, network, or filesystem action was found.
  • No HTTP client, endpoint literal, eval/vm usage, downloader, credential exfiltration, or bundled binary was found.
  • The MCP config path is restored or removed on session close; Claude permission config is written under a newly created OS temp directory.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 53.6 KB of source

Source & flagged code

1 flagged · loading source
dist/chunk-KHHRPQ2Q.mjsView file
820try { L821: mod = await import(options.adapter); L822: } catch (err) {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-KHHRPQ2Q.mjsView on unpkg · L820

Findings

2 Medium3 Low
MediumDynamic Requiredist/chunk-KHHRPQ2Q.mjs
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings