registry  /  @agentskit/cli  /  0.13.14

@agentskit/cli@0.13.14

CLI for AgentsKit chat and project scaffolding.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `agentskit chat`/`run` with selected tools or user-controlled AgentsKit configuration/plugins.
Impact
A user who enables or supplies untrusted agent configuration/plugins/tasks can cause local command execution and data exposure through those configured capabilities.
Mechanism
User-configured agent runtime executes shell, MCP, plugin, and filesystem capabilities.
Rationale
Source inspection contradicts the scanner's claimed credential exfiltration: provider keys are used for requested provider requests, not an unrelated collector. The shipped CLI nevertheless provides high-impact local agent execution primitives, so it should warn rather than block.
Evidence
package.jsondist/bin.jsdist/chunk-RNOYLQCV.jsdist/index.cjs~/.agentskit/config.ts~/.agentskit/config.json~/.agentskit/plugins./.agentskit.config.ts./.agentskit.config.json./.agentskit/components.json./.agentskit-history.json./.agentskit-rag/store.json
Network endpoints3
api.openai.comregistry.agentskit.ioraw.githubusercontent.com/AgentsKit-io/agentskit-registry/v1/schema/components.json

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/chunk-RNOYLQCV.js` runs configured shell hooks via `sh -c`.
  • `dist/chunk-RNOYLQCV.js` spawns configured MCP server commands with inherited environment.
  • `dist/chunk-RNOYLQCV.js` auto-imports JavaScript/TypeScript plugins from `~/.agentskit/plugins` during `chat`.
  • `chat`/`run` expose filesystem and shell tools to selected LLM agent workflows.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • `dist/bin.js` only parses explicitly invoked CLI arguments.
  • Environment API keys are passed to selected provider adapters, not sent to an unrelated hard-coded endpoint.
  • Network use is feature-aligned: provider embeddings and the AgentsKit component registry.
  • Config writes occur only through explicit `agentskit config init` or scaffold/add commands.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 575 KB of source, external domains: api.anthropic.com, api.openai.com, generativelanguage.googleapis.com, github.com, nodejs.org, ollama.com, openrouter.ai, raw.githubusercontent.com, registry.agentskit.io, www.agentskit.io

Source & flagged code

5 flagged · loading source
dist/chunk-RNOYLQCV.jsView file
7import { writeFileSync, existsSync, readdirSync, statSync, readFileSync, mkdirSync, rmSync } from 'fs'; L8: import { spawn } from 'child_process'; L9: import React2, { useMemo, useState, useEffect, useRef } from 'react'; ... L31: const raw = await readFile(path5, "utf8"); L32: return JSON.parse(raw); L33: } catch { ... L46: try { L47: const raw = await readFile(join(dir, "package.json"), "utf8"); L48: const pkg = JSON.parse(raw); ... L78: if (home === null) return void 0; L79: const globalDir = join(home ?? homedir(), ".agentskit"); L80: const tsConfig = await loadTsConfig(join(globalDir, "config.ts"));
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/chunk-RNOYLQCV.jsView on unpkg · L7
7import { writeFileSync, existsSync, readdirSync, statSync, readFileSync, mkdirSync, rmSync } from 'fs'; L8: import { spawn } from 'child_process'; L9: import React2, { useMemo, useState, useEffect, useRef } from 'react';
High
Child Process

Package source references child process execution.

dist/chunk-RNOYLQCV.jsView on unpkg · L7
7import { writeFileSync, existsSync, readdirSync, statSync, readFileSync, mkdirSync, rmSync } from 'fs'; L8: import { spawn } from 'child_process'; L9: import React2, { useMemo, useState, useEffect, useRef } from 'react'; ... L112: defaultModel: "llama3.1", L113: factory: (c) => ollama({ model: c.model, baseUrl: c.baseUrl }) L114: }, ... L226: try { L227: return JSON.parse(readFileSync(path5, "utf8")); L228: } catch {
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/chunk-RNOYLQCV.jsView on unpkg · L7
38try { L39: const mod = await import(path5); L40: return mod.default ?? mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-RNOYLQCV.jsView on unpkg · L38
dist/index.cjsView file
17Trigger-reachable chain: manifest.main -> dist/index.cjs L17: var integrations = require('@agentskit/integrations'); L18: var child_process = require('child_process'); L19: var jsxRuntime = require('react/jsx-runtime'); ... L40: const raw = await promises.readFile(path5, "utf8"); L41: return JSON.parse(raw); L42: } catch { ... L55: try { L56: const raw = await promises.readFile(path.join(dir, "package.json"), "utf8"); L57: const pkg = JSON.parse(raw); ... L87: if (home === null) return void 0; L88: const globalDir = path.join(home ?? os.homedir(), ".agentskit"); L89: const tsConfig = await loadTsConfig(path.join(globalDir, "config.ts"));
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.cjsView on unpkg · L17

Findings

2 Critical3 High4 Medium4 Low
CriticalCredential Exfiltrationdist/chunk-RNOYLQCV.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.cjs
HighChild Processdist/chunk-RNOYLQCV.js
HighShell
HighRemote Agent Bridgedist/chunk-RNOYLQCV.js
MediumDynamic Requiredist/chunk-RNOYLQCV.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings