registry  /  @agentproto/runtime  /  0.4.0

@agentproto/runtime@0.4.0

@agentproto/runtime — long-running gateway that turns an agentproto workspace into a live runtime. Composes @agentproto/mcp-server (CRUD verbs) with HTTP transport, HEARTBEAT.md autonomy loop, and append-only conversation persistence. Drop a workspace dir

AI Security Review

scanned 13d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The risky primitives are documented runtime capabilities for an agent gateway and require embedding, daemon startup, configuration, or authenticated/tool-invoked use.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports createGateway or runs an embedding/CLI daemon using this runtime.
Impact
Can execute allowed local commands, spawn configured agent/tunnel processes, and send configured session notifications when deliberately enabled.
Mechanism
Documented agent runtime gateway with MCP tools, session management, optional webhooks, and tunnels
Rationale
Static inspection confirms scanner hits map to package-aligned runtime features, not unconsented install/import-time behavior or hidden exfiltration. The command, webhook, tunnel, and orchestration surfaces are explicit, gated/configured, and documented.
Evidence
package.jsonREADME.mddist/index.mjs<workspace>/.agentproto/runtime.json<workspace>/.agentproto/allowed-commands.json<workspace>/HEARTBEAT.md~/.agentproto/notify.json~/.agentproto/providers.json~/.agentproto/sessions.json
Network endpoints4
127.0.0.1:<port>/mcp127.0.0.1:4040/api/tunnels*.trycloudflare.comuser-supplied notifyUrl/webhookUrl

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.mjs exposes powerful runtime features: command_execute, session spawning, webhooks, remote tunnels, and dynamic tunnel provider import.
  • dist/index.mjs can POST session events to AGENTPROTO_NOTIFY_URL, ~/.agentproto/notify.json URL, or per-session notifyUrl.
  • dist/index.mjs can spawn cloudflared/ngrok and import third-party tunnel providers when tunnel tools are invoked.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; main/module only point to dist/index.mjs.
  • Command execution is an explicit MCP tool, requires workspace .agentproto/allowed-commands.json basename allowlist, uses shell:false, and confines cwd to workspace.
  • Webhook/tunnel/network behavior is user-configured or tool-invoked, not automatic import/install-time exfiltration.
  • HTTP mutating session routes require bearer token or allowed origin; orchestrator sub-gateway requires scoped token and limits tools/depth/children.
  • README.md documents the package as an embeddable long-running agentproto runtime with sessions, MCP, heartbeat, and auth model.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 9 file(s), 474 KB of source, external domains: 127.0.0.1, browser-service.example.com, github.com, ngrok.com, pkg.cloudflare.com

Source & flagged code

4 flagged · loading source
dist/index.mjsView file
6import { homedir } from 'os'; L7: import { execFile, spawn } from 'child_process'; L8: import { z } from 'zod'; ... L11: import matter from 'gray-matter'; L12: import { createServer } from 'http'; L13: import { StreamableHTTPServerTransport } from '@[redacted].js'; ... L44: function daemonRegistryDir() { L45: return resolve(homedir(), ".agentproto", "daemons"); L46: } ... L80: const [raw, st] = await Promise.all([readFile(path, "utf8"), stat(path)]); L81: out.push({ meta: JSON.parse(raw), path, mtime: st.mtime }); L82: } catch {
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/index.mjsView on unpkg · L6
6Trigger-reachable chain: manifest.main -> dist/index.mjs L6: import { homedir } from 'os'; L7: import { execFile, spawn } from 'child_process'; L8: import { z } from 'zod'; ... L11: import matter from 'gray-matter'; L12: import { createServer } from 'http'; L13: import { StreamableHTTPServerTransport } from '@[redacted].js'; ... L44: function daemonRegistryDir() { L45: return resolve(homedir(), ".agentproto", "daemons"); L46: } ... L80: const [raw, st] = await Promise.all([readFile(path, "utf8"), stat(path)]); L81: out.push({ meta: JSON.parse(raw), path, mtime: st.mtime }); L82: } catch {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.mjsView on unpkg · L6
6import { homedir } from 'os'; L7: import { execFile, spawn } from 'child_process'; L8: import { z } from 'zod';
High
Child Process

Package source references child process execution.

dist/index.mjsView on unpkg · L6
1070try { L1071: const sqlite = await import('sqlite'); L1072: DatabaseSync = sqlite.DatabaseSync;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.mjsView on unpkg · L1070

Findings

2 Critical2 High4 Medium4 Low
CriticalCommand Output Exfiltrationdist/index.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/index.mjs
HighChild Processdist/index.mjs
HighShell
MediumDynamic Requiredist/index.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings