registry  /  @agentproto/runtime  /  0.6.0

@agentproto/runtime@0.6.0

@agentproto/runtime — long-running gateway that turns an agentproto workspace into a live runtime. Composes @agentproto/mcp-server (CRUD verbs) with HTTP transport, HEARTBEAT.md autonomy loop, and append-only conversation persistence. Drop a workspace dir

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package is an agent runtime with host command and PTY execution capabilities. These activate only after a consumer creates and exposes a gateway; source inspection found no install-time execution or covert payload chain.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Consumer imports the package, calls `createGateway`, and invokes configured MCP/session tools.
Impact
A compromised or over-privileged authenticated client could execute allowlisted local commands or interact with spawned terminals.
Mechanism
Authenticated agent gateway exposing allowlisted process and PTY control.
Rationale
The scanner's claimed decode-and-execute/exfiltration chain is not supported by source inspection. The package is not malicious, but its intentional remote-agent execution surface warrants a warning as a dangerous capability.
Evidence
package.jsondist/index.mjsREADME.md<workspace>/.agentproto/allowed-commands.json<workspace>/.agentproto/runtime.json<workspace>/HEARTBEAT.md<workspace>/BOOT.md
Network endpoints2
cli.agentproto.shwss://rdv.agentproto.sh/v1

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/index.mjs` exposes MCP tools that can spawn host commands and PTY sessions.
  • `command_execute` captures command stdout/stderr for remote-agent tool responses.
  • `createGateway` can expose runtime services and optional tunnel integrations.
  • Dynamic imports load local Node modules/binaries, not downloaded code.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hooks.
  • Process execution is runtime-invoked, allowlisted by workspace config, workspace-cwd constrained, and uses `shell:false`.
  • Mutating `/sessions/*` routes require a bearer token or allowed origin in `dist/index.mjs`.
  • No `eval`, `Function`, `vm`, remote-code import, or fetched-payload execution was found.
  • Base64 handling is terminal/browser data transport, not payload execution.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 10 file(s), 681 KB of source, external domains: 127.0.0.1, browser-service.example.com, cli.agentproto.sh, github.com, ngrok.com, pkg.cloudflare.com

Source & flagged code

7 flagged · loading source
dist/index.mjsView file
6import { homedir, tmpdir } from 'os'; L7: import { execFile, spawn } from 'child_process'; L8: import { z } from 'zod'; ... L15: import matter from 'gray-matter'; L16: import { createServer } from 'http'; L17: import { StreamableHTTPServerTransport } from '@[redacted].js'; ... L68: function daemonRegistryDir() { L69: return resolve(homedir(), ".agentproto", "daemons"); L70: } ... L104: const [raw, st] = await Promise.all([readFile(path, "utf8"), stat(path)]); L105: out.push({ meta: JSON.parse(raw), path, mtime: st.mtime }); L106: } catch {
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/index.mjsView on unpkg · L6
6import { homedir, tmpdir } from 'os'; L7: import { execFile, spawn } from 'child_process'; L8: import { z } from 'zod'; ... L15: import matter from 'gray-matter'; L16: import { createServer } from 'http'; L17: import { StreamableHTTPServerTransport } from '@[redacted].js'; ... L68: function daemonRegistryDir() { L69: return resolve(homedir(), ".agentproto", "daemons"); L70: } ... L104: const [raw, st] = await Promise.all([readFile(path, "utf8"), stat(path)]); L105: out.push({ meta: JSON.parse(raw), path, mtime: st.mtime }); L106: } catch {
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/index.mjsView on unpkg · L6
6Trigger-reachable chain: manifest.main -> dist/index.mjs L6: import { homedir, tmpdir } from 'os'; L7: import { execFile, spawn } from 'child_process'; L8: import { z } from 'zod'; ... L15: import matter from 'gray-matter'; L16: import { createServer } from 'http'; L17: import { StreamableHTTPServerTransport } from '@[redacted].js'; ... L68: function daemonRegistryDir() { L69: return resolve(homedir(), ".agentproto", "daemons"); L70: } ... L104: const [raw, st] = await Promise.all([readFile(path, "utf8"), stat(path)]); L105: out.push({ meta: JSON.parse(raw), path, mtime: st.mtime }); L106: } catch {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.mjsView on unpkg · L6
matchType = previous_version_dangerous_delta matchedPackage = @agentproto/runtime@0.4.0 matchedIdentity = npm:QGFnZW50cHJvdG8vcnVudGltZQ:0.4.0 similarity = 0.444 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.mjsView on unpkg
6import { homedir, tmpdir } from 'os'; L7: import { execFile, spawn } from 'child_process'; L8: import { z } from 'zod';
High
Child Process

Package source references child process execution.

dist/index.mjsView on unpkg · L6
16394const workspace = await mkdtemp(join(tmpdir(), "agentproto-sandbox-local-")); L16395: const child = spawn( L16396: "agentproto", ... L16398: { L16399: env: { ...process.env, ...opts.env }, L16400: stdio: "ignore" ... L16406: }); L16407: const healthUrl = `http://127.0.0.1:${port}/health`; L16408: const ready = await probeHealth(healthUrl, HEALTH_TIMEOUT_MS);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.mjsView on unpkg · L16394
1215try { L1216: const sqlite = await import('sqlite'); L1217: DatabaseSync = sqlite.DatabaseSync;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.mjsView on unpkg · L1215

Findings

4 Critical3 High4 Medium5 Low
CriticalCommand Output Exfiltrationdist/index.mjs
CriticalRemote Asset Decode Executedist/index.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/index.mjs
CriticalPrevious Version Dangerous Deltadist/index.mjs
HighChild Processdist/index.mjs
HighShell
HighSame File Env Network Executiondist/index.mjs
MediumDynamic Requiredist/index.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings