registry  /  @ai-setting/agent-bounty  /  0.5.0

@ai-setting/agent-bounty@0.5.0

AI Agent Bounty System — Task publishing, grabbing, and communication platform. v0.5.0: remove server config command, default TLS skip for fetch (no -k needed), upgrade roy deps (cli 1.5.110, core 1.5.102, harness 1.5.50).

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was found. The main risk is explicit CLI/runtime integration with a Roy agent EventSource and prompt hook, plus insecure defaults for TLS and server auth.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Running the bounty CLI, especially with BOUNTY_IM_ADDRESS set, or starting the bounty server.
Impact
Can persist a bounty-im EventSource in the Roy agent environment and inject bounty command guidance into the default prompt; default TLS/auth settings can weaken deployments but are package-aligned.
Mechanism
first-party agent extension registration and bounty messaging/server features
Rationale
Static source inspection shows agent lifecycle integration and insecure defaults, but no unconsented install-time mutation, credential exfiltration, remote payload execution, or destructive behavior. This should warn for first-party agent extension lifecycle risk rather than block as malicious.
Evidence
package.jsonsrc/bin/bounty.tssrc/cli/cli.tssrc/cli/hooks/bounty-prompt-hook.tssrc/lib/mail/bounty-constants.tssrc/im/eventsource/bounty-im-handler.tssrc/cli/lib/fetch-helper.tssrc/server/http/index.tssrc/cli/commands/server/start.tssrc/cli/storage.ts~/.config/bounty/token./data/bounty.dbevent-sources.json
Network endpoints3
localhost:4000ws://localhost:4000/wslocalhost:3001

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/cli/cli.ts auto-registers bounty-im EventSource when BOUNTY_IM_ADDRESS is set and notes persistence to event-sources.json.
  • src/cli/hooks/bounty-prompt-hook.ts appends BOUNTY_CAPABILITIES to the default agent prompt.
  • src/cli/lib/fetch-helper.ts disables TLS verification by default via NODE_TLS_REJECT_UNAUTHORIZED=0.
  • src/server/http/index.ts defaults BOUNTY_TOKEN_CHECK_ENABLED off, leaving /api routes unauthenticated in default server mode.
  • src/cli/commands/server/start.ts spawns bun run server only for explicit bounty server start command.
Evidence against
  • package.json has only prepublishOnly lifecycle; no install/preinstall/postinstall execution.
  • src/bin/bounty.ts only loads dotenv and runs the explicit CLI entrypoint.
  • Network activity is CLI/server functionality for bounty API, IM WebSocket, SMTP, or user-provided server URLs.
  • Credential handling is local auth token storage/read under ~/.config/bounty/token and SMTP/JWT env use, with no exfiltration sink found.
  • No hidden downloader, remote payload execution, broad AI-agent config mutation at npm install time, or destructive import-time behavior found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 80 file(s), 1.48 MB of source, external domains: accounts.google.com, api.nodemailer.com, bounty.example.com, bounty.tongagents.example.com, ethereal.email, github.com, nodemailer.com, yargs.js.org

Source & flagged code

5 flagged · loading source
dist/bin/bounty.jsView file
6659} L6660: exec(sql) { L6661: this.db.exec(sql);
High
Child Process

Package source references child process execution.

dist/bin/bounty.jsView on unpkg · L6659
75Cross-file remote execution chain: dist/bin/bounty.js spawns dist/server/server.js; helper contains network access plus dynamic code execution. L75: function supportsAnsi() { L76: return process.stdout.isTTY; L77: } ... L108: if (!result.parsed) { L109: const err = new Error(`MISSING_DATA: Cannot parse ${vaultPath} for an unknown reason`); L110: err.code = "MISSING_DATA"; ... L142: } L143: if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) { L144: return process.env.DOTENV_KEY; ... L193: } else { L194: possibleVaultPath = path.resolve(process.cwd(), ".env.vault"); L195: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/bounty.jsView on unpkg · L75
51var require_main = __commonJS((exports, module) => { L52: var fs = __require("fs"); L53: var path = __require("path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/bin/bounty.jsView on unpkg · L51
75function supportsAnsi() { L76: return process.stdout.isTTY; L77: } ... L108: if (!result.parsed) { L109: const err = new Error(`MISSING_DATA: Cannot parse ${vaultPath} for an unknown reason`); L110: err.code = "MISSING_DATA"; ... L142: } L143: if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) { L144: return process.env.DOTENV_KEY; ... L193: } else { L194: possibleVaultPath = path.resolve(process.cwd(), ".env.vault"); L195: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/bin/bounty.jsView on unpkg · L75
src/cli/commands/server/start.tsView file
matchType = previous_version_dangerous_delta matchedPackage = @ai-setting/agent-bounty@0.4.3 matchedIdentity = npm:[redacted]:0.4.3 similarity = 0.731 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/cli/commands/server/start.tsView on unpkg

Findings

1 Critical3 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltasrc/cli/commands/server/start.ts
HighChild Processdist/bin/bounty.js
HighShell
HighCross File Remote Execution Contextdist/bin/bounty.js
MediumDynamic Requiredist/bin/bounty.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/bin/bounty.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings