registry  /  @aidraw/agentdraw  /  0.1.12

@aidraw/agentdraw@0.1.12

Local-first editable whiteboard workspace for coding agents.

AI Security Review

scanned 6h ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time behavior. Residual risk is a user-invoked localhost editor API that can read/create/write scene JSON paths while the server is running and uses permissive CORS.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs agentdraw open, especially with --background
Impact
Potential local file read/write exposure if another local/web context can reach the running server; not package-install malware
Mechanism
local HTTP file-backed editor API
Attack narrative
When explicitly launched, the CLI starts a localhost AgentDraw editor. Its API accepts a file parameter, normalizes it with path.resolve, reads or creates scene files, and writes POSTed scene snapshots. The API also emits permissive CORS headers. This is a real local-server hardening concern, but inspection did not find lifecycle execution, persistence, exfiltration, or unconsented mutation of foreign AI-agent control surfaces.
Rationale
Source inspection supports a legitimate local-first whiteboard CLI with a user-invoked local server, but the unauthenticated permissive localhost file API is enough unresolved risk to warn. It is not malicious under the firewall policy because there is no install hook, credential theft, external endpoint, remote payload, or agent control hijack.
Evidence
package.jsonREADME.mddist/index.jsweb-dist/assets/index-CkNd1JJE.js.agentdraw/untitled.agentdraw.json.agentdraw/theme-gallery.htmluser-specified scene fileuser-specified export output
Network endpoints3
127.0.0.1:3927localhost/api/scene

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • dist/index.js starts a local HTTP editor with API routes for /api/scene
  • dist/index.js sets access-control-allow-origin:* on JSON API responses
  • /api/scene resolves user-supplied file paths and reads/creates/writes scene JSON under cwd or absolute paths
  • open --background spawns a detached node process with inherited env when user invokes it
Evidence against
  • package.json has no npm lifecycle hooks
  • package.json exposes only user-invoked bin agentdraw
  • No evidence of credential harvesting, external exfiltration, eval/vm, or remote code loading in inspected CLI paths
  • Network use is local server/probe plus bundled web app fetches to same-origin /api/scene
  • No writes to foreign AI-agent control surfaces such as CLAUDE.md, .mcp.json, Codex, Cursor, or shell startup files
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 130 file(s), 7.64 MB of source, external domains: app.excalidraw.com, chevrotain.io, discord.gg, docs.excalidraw.com, en.wikipedia.org, excalidraw-room-persistence.firebaseio.com, github.com, json.excalidraw.com, langium.org, libraries.excalidraw.com, mermaid.js.org, oss-ai.excalidraw.com, oss-collab.excalidraw.com, player.vimeo.com, plus.excalidraw.com, react.dev, us-central1-excalidraw-room-persistence.cloudfunctions.net, www.w3.org, www.youtube.com, x.com, youtube.com

Source & flagged code

6 flagged · loading source
web-dist/assets/subset-shared.chunk-CjHbYe2n.jsView file
22patternName = aws_access_key severity = critical line = 22 matchedText = `,X.push...64};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

web-dist/assets/subset-shared.chunk-CjHbYe2n.jsView on unpkg · L22
22patternName = aws_access_key severity = critical line = 22 matchedText = `,X.push...64};
Critical
Secret Pattern

AWS access key ID in web-dist/assets/subset-shared.chunk-CjHbYe2n.js

web-dist/assets/subset-shared.chunk-CjHbYe2n.jsView on unpkg · L22
web-dist/assets/index-CkNd1JJE.jsView file
100contains invisible/control Unicode U+202A (left-to-right embedding) `)},Ote=0,Kc=[];function zte(e){var t=I.useRef([]),n=I.useRef([0,0]),a=I.useRef(),i=I.useState(Ote++)[0],l=I.useState(NA)[0],s=I.useRef(e);I.useEffect(function(){s.current=e},[e]),I.useEffect(function(){if(e.inert){document.body.classList.a
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

web-dist/assets/index-CkNd1JJE.jsView on unpkg · L100
10patternName = google_api_key severity = high line = 10 matchedText = `).repla...AZZX
High
Secret Pattern

Google API key in web-dist/assets/index-CkNd1JJE.js

web-dist/assets/index-CkNd1JJE.jsView on unpkg · L10
web-dist/assets/Assistant-Bold-gm-uSS1B.woff2View file
path = web-dist/assets/Assistant-Bold-gm-uSS1B.woff2 kind = high_entropy_blob sizeBytes = 20380 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

web-dist/assets/Assistant-Bold-gm-uSS1B.woff2View on unpkg
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @aidraw/agentdraw@0.1.10 matchedIdentity = npm:QGFpZHJhdy9hZ2VudGRyYXc:0.1.10 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

3 Critical3 High4 Medium7 Low
CriticalCritical Secretweb-dist/assets/subset-shared.chunk-CjHbYe2n.js
CriticalTrojan Source Unicodeweb-dist/assets/index-CkNd1JJE.js
CriticalSecret Patternweb-dist/assets/subset-shared.chunk-CjHbYe2n.js
HighShips High Entropy Blobweb-dist/assets/Assistant-Bold-gm-uSS1B.woff2
HighPrevious Version Dangerous Deltadist/index.js
HighSecret Patternweb-dist/assets/index-CkNd1JJE.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings