registry  /  @aiaiai-pt/martha-cli  /  0.32.0

@aiaiai-pt/martha-cli@0.32.0

Terminal-first client for the Martha AI platform

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `martha runner --allow-host-exec` or `martha chat --local-exec --yes`.
Impact
Remote Martha tasks or chat tool calls can run local commands under user consent; no unconsented activation found.
Mechanism
Explicit host command execution and API result reporting
Rationale
Static source inspection shows a legitimate Martha platform CLI with explicit host-execution features and no lifecycle hook, stealth persistence, credential scraping, or unconsented AI-agent control-surface mutation. Because the user-enabled runner/local-exec surface can execute remote task commands and exfiltrate output to the configured API, warn rather than block.
Evidence
package.jsondist/index.jsREADME.mdCHANGELOG.mdskills/martha-cli/SKILL.md~/.martha/config.yaml~/.martha/credentials.json.martha-runner/
Network endpoints5
martha.nomadriver.coauth.nomadriver.coregistry.npmjs.org/@aiaiai-pt%2Fmartha-cli/latestlocalhost:8080localhost:8180

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js registers user-invoked `runner` that executes server-supplied task goals only with `--allow-host-exec`.
  • dist/index.js supports `chat --local-exec --yes` host tools, file writes/edits, screenshots, browser actions, and local agent delegation.
  • dist/index.js posts command output/tool results back to Martha API endpoints after explicit local-exec/runner use.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; only bin `martha` points to dist/index.js.
  • Network use is aligned with documented Martha CLI operations and configurable API/auth endpoints.
  • Token/config writes are expected CLI state under `~/.martha`, with env auth precedence documented in README.md.
  • child_process findings are mostly bundled commander/update logic plus explicit runner/local-exec commands, not import-time execution.
  • MCP grant/setup is explicit via `martha mcp add/grant`, not install-time mutation of foreign AI-agent config.
  • No credential harvesting, stealth persistence, destructive install behavior, or remote payload loading found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 775 KB of source, external domains: 127.0.0.1, auth.nomadriver.co, denied.example.invalid, martha.nomadriver.co, registry.npmjs.org, www.googleapis.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
752var EventEmitter = __require("node:events").EventEmitter; L753: var childProcess = __require("node:child_process"); L754: var path = __require("node:path");
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L752
1212} L1213: const execArgv = process2.execArgv ?? []; L1214: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L1212
21526const body = fs12.readFileSync(skillPath, "utf-8"); L21527: process.stdout.write(body); L21528: } ... L21535: // src/commands/update.ts L21536: import { spawnSync } from "node:child_process"; L21537: import { realpathSync } from "node:fs"; ... L21540: var PKG = "@aiaiai-pt/martha-cli"; L21541: var LATEST_URL = "https://registry.npmjs.org/@aiaiai-pt%2Fmartha-cli/latest"; L21542: function compareSemver2(a, b) {
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L21526
29var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res); L30: var __require = /* @__PURE__ */ createRequire(import.meta.url); L31:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L29

Findings

3 High3 Medium4 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighCommand Output Exfiltrationdist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings