registry  /  @agentrhq/webcmd  /  0.3.1

@agentrhq/webcmd@0.3.1

Turn websites, browser sessions, desktop apps, and local tools into deterministic CLI surfaces for humans and AI agents.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `webcmd skills install` or `webcmd skills update`; global install can run postinstall adapter/completion setup.
Impact
Bundled skill content becomes discoverable by the chosen agent provider; install-time effects remain scoped to Webcmd and shell-completion files.
Mechanism
Explicit agent-skill symlink setup plus first-party Webcmd cache maintenance.
Rationale
No concrete malicious behavior was confirmed, but explicit commands alter AI-agent skill directories. Under the firewall policy, that remains a warn-level agent capability risk rather than a publish-blocking attack.
Evidence
package.jsonscripts/postinstall.jsscripts/fetch-adapters.jsdist/src/skills.jsdist/src/cli.jsdist/src/update-check.js~/.webcmd/skills/<skill>~/.agents/skills/<skill>~/.codex/skills/<skill>~/.claude/skills/<skill>~/.webcmd/clis~/.webcmd/spotify.env

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/src/skills.js` symlinks bundled skills into `~/.agents`, `~/.codex`, or `~/.claude` skill directories.
  • `dist/src/cli.js` exposes this agent-directory mutation through explicit `webcmd skills install` and `webcmd skills update` commands.
  • `package.json` postinstall runs scripts that write shell completions and a `~/.webcmd/spotify.env` template on global installs.
  • `scripts/fetch-adapters.js` can remove stale first-party `~/.webcmd/clis` overrides during eligible installs.
Evidence against
  • Agent skill linking is user-invoked; no lifecycle script calls the skills install/update commands.
  • `scripts/postinstall.js` does not modify shell rc files and writes only completions plus placeholder credentials.
  • `scripts/fetch-adapters.js` declares no network use and only manages the package-owned `~/.webcmd` area.
  • `dist/src/update-check.js` has update checks disabled and uses placeholder `invalid.example` URLs.
  • No inspected lifecycle or runtime source harvested credentials/env files for exfiltration or executed remote payloads.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,364 file(s), 7.80 MB of source, external domains: 127.0.0.1, a.com, a.example, a9.com, aave.com, accounts.google.com, accounts.pixiv.net, accounts.spotify.com, ads.example, api.chess.com, api.coingecko.com, api.dictionaryapi.dev, api.example, api.example.com, api.example.test, api.fda.gov, api.github.com, api.grok.com, api.llama.fi, api.manus.im, api.npmjs.org, api.nuget.org, api.openalex.org, api.osv.dev, api.semanticscholar.org, api.slock.ai, api.spotify.com, api.stackexchange.com, api.test, api.tvmaze.com, api.webcmd.dev, api2.openreview.net, app.example, app.mercury.com, app.slock.ai, archive.org, arxiv.org, assets.bwbx.io, assets.grok.com, auth.band.us, auth.openai.com, azuresearch-usnc.nuget.org, b.example, bad.test, bitcoin.org, blinkit.com, browser.example.com, ca.linkedin.com, cdn.example.com, cdn.example.invalid

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js || true; node scripts/fetch-adapters.js || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js || true; node scripts/fetch-adapters.js || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/src/external.test.jsView file
9})); L10: vi.mock('node:child_process', () => ({ L11: spawnSync: vi.fn(),
High
Child Process

Package source references child process execution.

dist/src/external.test.jsView on unpkg · L9
115expect(spawnMock).toHaveBeenNthCalledWith(1, 'tg', ['send', 'hello world', '--to', 'a"b'], { stdio: 'inherit' }); L116: expect(spawnMock).toHaveBeenNthCalledWith(2, 'tg send "hello world" --to "a""b"', { stdio: 'inherit', shell: true }); L117: expect(process.exitCode).toBe(0);
High
Shell

Package source references shell execution.

dist/src/external.test.jsView on unpkg · L115
dist/src/browser.test.jsView file
298// Should not throw when parsed L299: expect(() => new Function(js)).not.toThrow(); L300: });
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/browser.test.jsView on unpkg · L298
dist/src/discovery.jsView file
257return; L258: await import(pathToFileURL(filePath).href).catch((err) => { L259: log.warn(`Failed to load module ${filePath}: ${getErrorMessage(err)}`);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/discovery.jsView on unpkg · L257
clis/grok/image.jsView file
6L7: const GROK_URL = 'https://grok.com/'; L8: const SESSION_HINT = 'Likely login/auth/challenge/session issue in the existing grok.com browser session.'; ... L204: // refuse direct curl/node downloads. L205: async function fetchImageAsBase64(page, url) { L206: const urlJson = JSON.stringify(url);
Low
Weak Crypto

Package source references weak cryptographic algorithms.

clis/grok/image.jsView on unpkg · L6
scripts/postinstall.jsView file
7* standard completion directory. For zsh and bash, the script prints manual L8: * instructions instead of modifying rc files (~/.zshrc, ~/.bashrc) — this L9: * avoids breaking multi-line shell commands and other fragile rc structures. ... L60: function detectShell() { L61: const shell = process.env.SHELL || ''; L62: if (shell.includes('zsh')) return 'zsh'; ... L77: // Skip in CI environments L78: if (process.env.CI || process.env.CONTINUOUS_INTEGRATION) { L79: return; ... L93: L94: const home = homedir(); L95:
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

scripts/postinstall.jsView on unpkg · L7
dist/src/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @agentrhq/webcmd@0.3.0 matchedIdentity = npm:QGFnZW50cmhxL3dlYmNtZA:0.3.0 similarity = 0.725 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/cli.jsView on unpkg
65Cross-file remote execution chain: dist/src/cli.js spawns dist/src/browser/network-interceptor.js; helper contains network access plus dynamic code execution. L65: function isInteractiveInstall(opts) { L66: return !opts.json && process.stdin.isTTY === true && process.stdout.isTTY === true; L67: } ... L168: try { L169: body = JSON.parse(preview); L170: } ... L198: catch { L199: if (process.env.WEBCMD_VERBOSE) L200: log.warn(`[network] Failed to parse interceptor buffer: ${typeof raw === 'string' ? raw.slice(0, 200) : String(raw)}`); ... L216: invalid_filter: EXIT_CODES.USAGE_ERROR, L217: invalid_max_body: EXIT_CODES.USAGE_ERROR, L218: };
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/src/cli.jsView on unpkg · L65
dist/src/observation/redaction.test.jsView file
28patternName = generic_password severity = medium line = 28 matchedText = password...D]',
Medium
Secret Pattern

Hardcoded password in dist/src/observation/redaction.test.js

dist/src/observation/redaction.test.jsView on unpkg · L28

Findings

1 Critical4 High7 Medium8 Low
CriticalPrevious Version Dangerous Deltadist/src/cli.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/src/external.test.js
HighShelldist/src/external.test.js
HighCross File Remote Execution Contextdist/src/cli.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/src/discovery.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencescripts/postinstall.js
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/src/observation/redaction.test.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/src/browser.test.js
LowWeak Cryptoclis/grok/image.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings