registry  /  @agentworkforce/runtime  /  4.1.23

@agentworkforce/runtime@4.1.23

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. An opt-in runtime harness can create or overwrite agent instruction sidecars within a caller-selected workspace and start a configured agent CLI. This is a real AI-agent control-surface capability, but not install-time malware.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
An application invokes `ctx.harness.run()` with a persona containing harness instruction content.
Impact
Configured persona content can affect a Codex/Claude-style agent session in that workspace.
Mechanism
Workspace-bounded AGENTS/CLAUDE sidecar setup and non-shell agent-harness launch.
Rationale
Source inspection found a concrete, opt-in AI-agent control-surface write and harness launch, which warrants a warning under the firewall policy. It did not find behavior sufficient to classify the package as malicious or block publication.
Evidence
package.jsondist/cloud-defaults.jsdist/relay-mcp.jsdist/local-preview.jsdist/local-preview-child.jsdist/local-preview-hooks.jsAGENTS.mdCLAUDE.md
Network endpoints4
api.anthropic.comapi.openai.comchatgpt.com/backend-api/codexopenrouter.ai/api

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/cloud-defaults.js` writes persona-rendered `AGENTS.md` or `CLAUDE.md` before launching an agent harness.
  • `dist/cloud-defaults.js` launches configured harness binaries with `spawn(..., { shell: false })`.
  • `dist/relay-mcp.js` invokes a relay broker with `--register` during configured Codex/Claude harness setup.
Evidence against
  • `package.json` declares no `preinstall`, `install`, or `postinstall` script.
  • Instruction writes are constrained to the selected workspace by `resolveWorkspacePath`.
  • Local preview imports a caller-selected bundle only after child-process and raw-network guards are installed.
  • No covert exfiltration, remote payload download, global agent-config mutation, or persistence was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 48 file(s), 345 KB of source, external domains: 127.0.0.1, agentrelay.com, api.anthropic.com, api.openai.com, cast.agentrelay.com, cast.example.com, chatgpt.com, cloud.example.test, example.test, openrouter.ai, relay.example.test, relayfile.example.test

Source & flagged code

2 flagged · loading source
dist/local-preview-executor.jsView file
248try { L249: userModule = (await import(bundleUrl)); L250: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/local-preview-executor.jsView on unpkg · L248
dist/local-preview.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @agentworkforce/runtime@4.1.20 matchedIdentity = npm:QGFnZW50d29ya2ZvcmNlL3J1bnRpbWU:4.1.20 similarity = 0.925 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/local-preview.jsView on unpkg

Findings

1 High3 Medium5 Low
HighPrevious Version Dangerous Deltadist/local-preview.js
MediumDynamic Requiredist/local-preview-executor.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License