registry  /  @aidraw/agentdraw  /  0.1.10

@aidraw/agentdraw@0.1.10

Local-first editable whiteboard workspace for coding agents.

AI Security Review

scanned 6h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a user-invoked CLI that serves a local whiteboard/editor and reads or writes project scene files with path checks.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the agentdraw CLI
Impact
Local scene files may be created or updated as part of the documented editor workflow; no exfiltration or lifecycle persistence found.
Mechanism
local HTTP editor plus scene file read/write
Rationale
Source inspection shows a package-aligned local-first whiteboard CLI with no lifecycle hooks, credential theft, external network exfiltration, or unconsented agent control-surface mutation. Scanner findings appear to be noisy bundled web assets and expected local server/file operations.
Evidence
package.jsondist/index.jsweb-dist/index.htmlweb-dist/assets/Assistant-Bold-gm-uSS1B.woff2web-dist/assets/subset-shared.chunk-VYO9Ebyw.jsweb-dist/assets/index-BjQDHGCo.jsweb-dist/assets/*designs/*/design.md

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • No npm lifecycle hooks in package.json; execution is via user-invoked bin agentdraw -> dist/index.js.
  • dist/index.js starts a local HTTP server and can spawn a detached copy of itself only from the CLI flow.
  • dist/index.js reads/writes scene files selected through CLI/API and blocks paths containing .ssh, .gnupg, .aws, or .config.
  • web-dist bundles include fonts and browser assets; high-entropy woff2 assets are expected static web payloads.
Evidence against
  • No install-time code or unconsented writes to AI-agent control surfaces found in package.json.
  • No credential harvesting or secret/env exfiltration behavior found in inspected entrypoint.
  • Network behavior is local server/client use around localhost rather than external C2 endpoints.
  • Potential eval/secret/unicode scanner hits are inside bundled frontend/vendor assets and not tied to malicious execution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 130 file(s), 7.64 MB of source, external domains: app.excalidraw.com, chevrotain.io, discord.gg, docs.excalidraw.com, en.wikipedia.org, excalidraw-room-persistence.firebaseio.com, github.com, json.excalidraw.com, langium.org, libraries.excalidraw.com, mermaid.js.org, oss-ai.excalidraw.com, oss-collab.excalidraw.com, player.vimeo.com, plus.excalidraw.com, react.dev, us-central1-excalidraw-room-persistence.cloudfunctions.net, www.w3.org, www.youtube.com, x.com, youtube.com

Source & flagged code

6 flagged · loading source
web-dist/assets/subset-shared.chunk-VYO9Ebyw.jsView file
22patternName = aws_access_key severity = critical line = 22 matchedText = `,X.push...64};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

web-dist/assets/subset-shared.chunk-VYO9Ebyw.jsView on unpkg · L22
22patternName = aws_access_key severity = critical line = 22 matchedText = `,X.push...64};
Critical
Secret Pattern

AWS access key ID in web-dist/assets/subset-shared.chunk-VYO9Ebyw.js

web-dist/assets/subset-shared.chunk-VYO9Ebyw.jsView on unpkg · L22
1import{f as Vg}from"./index-BjQDHGCo.js";var vC=(()=>{let F=new Uint8Array(128);for(let L=0;L<64;L++)F[L<26?L+65:L<52?L+71:L<62?L-4:L*4-205]=L;return L=>{let I=L.length,c=new Uint8... L2: ${I.extraStackTrace()}`),hI(A)}function sI(A,g,C,Q){w(`Assertion failed: ${$(A)}, at: ${[g?$(g):"unknown filename",C,Q?$(Q):"unknown function"]}`)}function NI(A){return yA(A)}funct... L3: "use strict"; return body.apply(this, arguments);
Low
Eval

Package source references a known benign dynamic code generation pattern.

web-dist/assets/subset-shared.chunk-VYO9Ebyw.jsView on unpkg · L1
web-dist/assets/index-BjQDHGCo.jsView file
100contains invisible/control Unicode U+202A (left-to-right embedding) `)},Nte=0,Kc=[];function Ote(e){var t=I.useRef([]),n=I.useRef([0,0]),a=I.useRef(),i=I.useState(Nte++)[0],l=I.useState(LA)[0],s=I.useRef(e);I.useEffect(function(){s.current=e},[e]),I.useEffect(function(){if(e.inert){document.body.classList.a
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

web-dist/assets/index-BjQDHGCo.jsView on unpkg · L100
10patternName = google_api_key severity = high line = 10 matchedText = `).repla...AZZX
High
Secret Pattern

Google API key in web-dist/assets/index-BjQDHGCo.js

web-dist/assets/index-BjQDHGCo.jsView on unpkg · L10
web-dist/assets/Assistant-Bold-gm-uSS1B.woff2View file
path = web-dist/assets/Assistant-Bold-gm-uSS1B.woff2 kind = high_entropy_blob sizeBytes = 20380 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

web-dist/assets/Assistant-Bold-gm-uSS1B.woff2View on unpkg

Findings

3 Critical2 High4 Medium7 Low
CriticalCritical Secretweb-dist/assets/subset-shared.chunk-VYO9Ebyw.js
CriticalTrojan Source Unicodeweb-dist/assets/index-BjQDHGCo.js
CriticalSecret Patternweb-dist/assets/subset-shared.chunk-VYO9Ebyw.js
HighShips High Entropy Blobweb-dist/assets/Assistant-Bold-gm-uSS1B.woff2
HighSecret Patternweb-dist/assets/index-BjQDHGCo.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalweb-dist/assets/subset-shared.chunk-VYO9Ebyw.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings