registry  /  @agentskit/cli  /  0.13.12

@agentskit/cli@0.13.12

CLI for AgentsKit chat and project scaffolding.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

No confirmed malicious automatic attack surface was established. The sensitive capabilities are registered as explicit CLI features and require user invocation or user-provided configuration.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit `agentskit` commands such as `run`, `chat`, `add`, `dev`, or `tunnel`, plus optional user configuration.
Impact
No install-time or import-time credential theft, persistence, or unconsented control-surface mutation found.
Mechanism
User-invoked agent tooling, project scaffolding, registry fetching, tunneling, and configured plugin/MCP execution.
Rationale
The scanner findings map to the package's advertised CLI and agent features, not an automatic malicious chain. Sensitive subprocess, network, and file operations are reached only through explicit commands or user-controlled configuration.
Evidence
package.jsondist/bin.jsdist/chunk-RNOYLQCV.jsdist/index.cjs

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/chunk-RNOYLQCV.js` can spawn configured MCP servers and user-configured shell hooks.
  • `dist/chunk-RNOYLQCV.js` supports explicit agent tools including shell and filesystem capabilities.
  • `dist/chunk-RNOYLQCV.js` fetches registry content only through the user-invoked `add` command.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • `dist/bin.js` only constructs and parses the CLI; importing it does not run agent commands.
  • Provider keys are selected from documented provider options/env vars for explicit chat/run actions.
  • Registry authorization is limited to a configured matching registry base; no arbitrary environment harvesting was found.
  • No automatic exfiltration, stealth persistence, destructive action, or foreign AI-agent configuration mutation was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 575 KB of source, external domains: api.anthropic.com, api.openai.com, generativelanguage.googleapis.com, github.com, nodejs.org, ollama.com, openrouter.ai, raw.githubusercontent.com, registry.agentskit.io, www.agentskit.io

Source & flagged code

5 flagged · loading source
dist/chunk-RNOYLQCV.jsView file
7import { writeFileSync, existsSync, readdirSync, statSync, readFileSync, mkdirSync, rmSync } from 'fs'; L8: import { spawn } from 'child_process'; L9: import React2, { useMemo, useState, useEffect, useRef } from 'react'; ... L31: const raw = await readFile(path5, "utf8"); L32: return JSON.parse(raw); L33: } catch { ... L46: try { L47: const raw = await readFile(join(dir, "package.json"), "utf8"); L48: const pkg = JSON.parse(raw); ... L78: if (home === null) return void 0; L79: const globalDir = join(home ?? homedir(), ".agentskit"); L80: const tsConfig = await loadTsConfig(join(globalDir, "config.ts"));
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/chunk-RNOYLQCV.jsView on unpkg · L7
7import { writeFileSync, existsSync, readdirSync, statSync, readFileSync, mkdirSync, rmSync } from 'fs'; L8: import { spawn } from 'child_process'; L9: import React2, { useMemo, useState, useEffect, useRef } from 'react';
High
Child Process

Package source references child process execution.

dist/chunk-RNOYLQCV.jsView on unpkg · L7
7import { writeFileSync, existsSync, readdirSync, statSync, readFileSync, mkdirSync, rmSync } from 'fs'; L8: import { spawn } from 'child_process'; L9: import React2, { useMemo, useState, useEffect, useRef } from 'react'; ... L112: defaultModel: "llama3.1", L113: factory: (c) => ollama({ model: c.model, baseUrl: c.baseUrl }) L114: }, ... L226: try { L227: return JSON.parse(readFileSync(path5, "utf8")); L228: } catch {
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/chunk-RNOYLQCV.jsView on unpkg · L7
38try { L39: const mod = await import(path5); L40: return mod.default ?? mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-RNOYLQCV.jsView on unpkg · L38
dist/index.cjsView file
17Trigger-reachable chain: manifest.main -> dist/index.cjs L17: var integrations = require('@agentskit/integrations'); L18: var child_process = require('child_process'); L19: var jsxRuntime = require('react/jsx-runtime'); ... L40: const raw = await promises.readFile(path5, "utf8"); L41: return JSON.parse(raw); L42: } catch { ... L55: try { L56: const raw = await promises.readFile(path.join(dir, "package.json"), "utf8"); L57: const pkg = JSON.parse(raw); ... L87: if (home === null) return void 0; L88: const globalDir = path.join(home ?? os.homedir(), ".agentskit"); L89: const tsConfig = await loadTsConfig(path.join(globalDir, "config.ts"));
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.cjsView on unpkg · L17

Findings

2 Critical3 High4 Medium4 Low
CriticalCredential Exfiltrationdist/chunk-RNOYLQCV.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.cjs
HighChild Processdist/chunk-RNOYLQCV.js
HighShell
HighRemote Agent Bridgedist/chunk-RNOYLQCV.js
MediumDynamic Requiredist/chunk-RNOYLQCV.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings