AI Security Review
scanned 13d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The risky primitives are documented runtime capabilities for an agent gateway and require embedding, daemon startup, configuration, or authenticated/tool-invoked use.
Decision evidence
public snapshot- dist/index.mjs exposes powerful runtime features: command_execute, session spawning, webhooks, remote tunnels, and dynamic tunnel provider import.
- dist/index.mjs can POST session events to AGENTPROTO_NOTIFY_URL, ~/.agentproto/notify.json URL, or per-session notifyUrl.
- dist/index.mjs can spawn cloudflared/ngrok and import third-party tunnel providers when tunnel tools are invoked.
- package.json has no install/preinstall/postinstall lifecycle hooks; main/module only point to dist/index.mjs.
- Command execution is an explicit MCP tool, requires workspace .agentproto/allowed-commands.json basename allowlist, uses shell:false, and confines cwd to workspace.
- Webhook/tunnel/network behavior is user-configured or tool-invoked, not automatic import/install-time exfiltration.
- HTTP mutating session routes require bearer token or allowed origin; orchestrator sub-gateway requires scoped token and limits tools/depth/children.
- README.md documents the package as an embeddable long-running agentproto runtime with sessions, MCP, heartbeat, and auth model.
Source & flagged code
4 flagged · loading sourceSource executes local commands and sends command output to an external endpoint.
dist/index.mjsView on unpkg · L6A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.mjsView on unpkg · L6Package source references dynamic require/import behavior.
dist/index.mjsView on unpkg · L1070