registry  /  @agentskit/cli  /  0.13.21

@agentskit/cli@0.13.21

CLI for AgentsKit chat and project scaffolding.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No install-time or import-time attack behavior is established. The CLI intentionally gives user-invoked agent sessions optional shell, filesystem, web, plugin, and MCP capabilities.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `agentskit chat`, `agentskit run`, `agentskit add`, or `agentskit dev` with corresponding options/configuration.
Impact
A user-approved or locally configured agent can execute commands and modify project files; this is a real dual-use capability, not confirmed package-originated abuse.
Mechanism
User-configured agent tooling, shell hooks, MCP subprocesses, and registry-backed project generation.
Rationale
The scanner's credential-exfiltration label is not supported by source: observed environment reads select provider credentials for requested model/integration calls. The package warrants a warning for powerful user-invoked agent execution surfaces, but no concrete malicious behavior supports blocking.
Evidence
package.jsondist/bin.jsdist/chunk-RNOYLQCV.jsdist/index.cjs.agentskit.config.ts.agentskit.config.json.agentskit/components.json.agentskit/install-log.jsonl
Network endpoints5
api.openai.comapi.anthropic.com/v1/messagesgenerativelanguage.googleapis.com/v1beta/modelsregistry.agentskit.ioraw.githubusercontent.com/AgentsKit-io/agentskit-registry/main

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/chunk-RNOYLQCV.js` exposes explicit `chat` and `run` commands with filesystem, shell, and web tools.
  • `dist/chunk-RNOYLQCV.js` runs configured shell hooks with `sh -c` and starts configured MCP commands.
  • `dist/chunk-RNOYLQCV.js` loads project/global TypeScript config modules and optional plugin modules at user command runtime.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle hook.
  • `dist/bin.js` only parses CLI arguments after the user invokes `agentskit`.
  • Environment API keys are resolved for selected model/integration providers; no source sends arbitrary environment data to an unrelated endpoint.
  • Registry downloads and project writes occur only through explicit `agentskit add`/`update` commands.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 575 KB of source, external domains: api.anthropic.com, api.openai.com, generativelanguage.googleapis.com, github.com, nodejs.org, ollama.com, openrouter.ai, raw.githubusercontent.com, registry.agentskit.io, www.agentskit.io

Source & flagged code

5 flagged · loading source
dist/chunk-RNOYLQCV.jsView file
7import { writeFileSync, existsSync, readdirSync, statSync, readFileSync, mkdirSync, rmSync } from 'fs'; L8: import { spawn } from 'child_process'; L9: import React2, { useMemo, useState, useEffect, useRef } from 'react'; ... L31: const raw = await readFile(path5, "utf8"); L32: return JSON.parse(raw); L33: } catch { ... L46: try { L47: const raw = await readFile(join(dir, "package.json"), "utf8"); L48: const pkg = JSON.parse(raw); ... L78: if (home === null) return void 0; L79: const globalDir = join(home ?? homedir(), ".agentskit"); L80: const tsConfig = await loadTsConfig(join(globalDir, "config.ts"));
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/chunk-RNOYLQCV.jsView on unpkg · L7
7import { writeFileSync, existsSync, readdirSync, statSync, readFileSync, mkdirSync, rmSync } from 'fs'; L8: import { spawn } from 'child_process'; L9: import React2, { useMemo, useState, useEffect, useRef } from 'react';
High
Child Process

Package source references child process execution.

dist/chunk-RNOYLQCV.jsView on unpkg · L7
7import { writeFileSync, existsSync, readdirSync, statSync, readFileSync, mkdirSync, rmSync } from 'fs'; L8: import { spawn } from 'child_process'; L9: import React2, { useMemo, useState, useEffect, useRef } from 'react'; ... L112: defaultModel: "llama3.1", L113: factory: (c) => ollama({ model: c.model, baseUrl: c.baseUrl }) L114: }, ... L226: try { L227: return JSON.parse(readFileSync(path5, "utf8")); L228: } catch {
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/chunk-RNOYLQCV.jsView on unpkg · L7
38try { L39: const mod = await import(path5); L40: return mod.default ?? mod;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-RNOYLQCV.jsView on unpkg · L38
dist/index.cjsView file
17Trigger-reachable chain: manifest.main -> dist/index.cjs L17: var integrations = require('@agentskit/integrations'); L18: var child_process = require('child_process'); L19: var jsxRuntime = require('react/jsx-runtime'); ... L40: const raw = await promises.readFile(path5, "utf8"); L41: return JSON.parse(raw); L42: } catch { ... L55: try { L56: const raw = await promises.readFile(path.join(dir, "package.json"), "utf8"); L57: const pkg = JSON.parse(raw); ... L87: if (home === null) return void 0; L88: const globalDir = path.join(home ?? os.homedir(), ".agentskit"); L89: const tsConfig = await loadTsConfig(path.join(globalDir, "config.ts"));
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.cjsView on unpkg · L17

Findings

2 Critical3 High4 Medium4 Low
CriticalCredential Exfiltrationdist/chunk-RNOYLQCV.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.cjs
HighChild Processdist/chunk-RNOYLQCV.js
HighShell
HighRemote Agent Bridgedist/chunk-RNOYLQCV.js
MediumDynamic Requiredist/chunk-RNOYLQCV.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings