registry  /  @aidraw/agentdraw  /  0.1.14

@aidraw/agentdraw@0.1.14

Local-first editable whiteboard workspace for coding agents.

AI Security Review

scanned 15m ago · by lpm-firewall-ai

No confirmed malicious attack surface. The meaningful runtime surface is an explicitly invoked local whiteboard CLI that can start a local HTTP server and read/write user-selected AgentDraw scene/export/gallery files.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `agentdraw` commands such as `open`, `repair --write`, `export`, `import-svg`, or `gallery`.
Impact
Can create or modify user-specified AgentDraw scene, export, imported SVG conversion, and gallery files; no install-time or foreign AI-agent control-surface mutation identified.
Mechanism
User-invoked local editor server and scene file utilities
Rationale
Static inspection shows a user-invoked local-first drawing CLI with local server/file editing capabilities aligned to the package purpose, and no lifecycle hook, credential harvesting, exfiltration, remote code execution, persistence, or AI-agent control hijack. The unresolved CORS/local-file surface is a product security consideration, not enough evidence of malicious npm package behavior.
Evidence
package.jsonREADME.mddist/index.jsdist/render.jsweb-dist/assets/subset-shared.chunk-62dPLQau.jsweb-dist/assets/index-Bg0bRLch.js.agentdraw/untitled.agentdraw.json.agentdraw/theme-gallery.html<user-specified scene/export/import paths>
Network endpoints2
127.0.0.1:3927localhost

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Local API has permissive CORS and can read/write scene paths supplied by browser requests when user runs `agentdraw open`.
  • `open --background` launches a detached node process for the package's own local server.
Evidence against
  • package.json has no install/preinstall/postinstall/prepare lifecycle hooks; only `bin.agentdraw` points to dist/index.js.
  • CLI command dispatch is user-invoked; no import-time action beyond defining functions and calling main for the bin.
  • Network behavior is a local HTTP server on 127.0.0.1:3927 by default and a localhost fetch probe for reuse detection.
  • File writes are package-aligned scene/export/gallery outputs; no writes to .mcp.json, CLAUDE/Codex/Cursor settings, shell startup files, VCS hooks, or autostart entries found.
  • child_process spawn is limited to opening the system browser or starting the package's own background server from explicit CLI flags.
  • Scanner high-entropy/font and web bundle hits are static web assets/WASM/font data, not executable install-time payload evidence.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 130 file(s), 7.83 MB of source, external domains: app.excalidraw.com, chevrotain.io, discord.gg, docs.excalidraw.com, en.wikipedia.org, excalidraw-room-persistence.firebaseio.com, github.com, json.excalidraw.com, langium.org, libraries.excalidraw.com, mermaid.js.org, oss-ai.excalidraw.com, oss-collab.excalidraw.com, player.vimeo.com, plus.excalidraw.com, react.dev, us-central1-excalidraw-room-persistence.cloudfunctions.net, www.w3.org, www.youtube.com, x.com, youtube.com

Source & flagged code

7 flagged · loading source
web-dist/assets/subset-shared.chunk-62dPLQau.jsView file
22patternName = aws_access_key severity = critical line = 22 matchedText = `,X.push...64};
Critical
Critical Secret

Package contains a critical-looking secret pattern.

web-dist/assets/subset-shared.chunk-62dPLQau.jsView on unpkg · L22
22patternName = aws_access_key severity = critical line = 22 matchedText = `,X.push...64};
Critical
Secret Pattern

AWS access key ID in web-dist/assets/subset-shared.chunk-62dPLQau.js

web-dist/assets/subset-shared.chunk-62dPLQau.jsView on unpkg · L22
1import{f as Vg}from"./index-Bg0bRLch.js";var vC=(()=>{let F=new Uint8Array(128);for(let L=0;L<64;L++)F[L<26?L+65:L<52?L+71:L<62?L-4:L*4-205]=L;return L=>{let I=L.length,c=new Uint8... L2: ${I.extraStackTrace()}`),hI(A)}function sI(A,g,C,Q){w(`Assertion failed: ${$(A)}, at: ${[g?$(g):"unknown filename",C,Q?$(Q):"unknown function"]}`)}function NI(A){return yA(A)}funct... L3: "use strict"; return body.apply(this, arguments);
Low
Eval

Package source references a known benign dynamic code generation pattern.

web-dist/assets/subset-shared.chunk-62dPLQau.jsView on unpkg · L1
web-dist/assets/index-Bg0bRLch.jsView file
100contains invisible/control Unicode U+202A (left-to-right embedding) `)},Hte=0,qc=[];function Xte(e){var t=D.useRef([]),n=D.useRef([0,0]),a=D.useRef(),i=D.useState(Hte++)[0],l=D.useState(zA)[0],s=D.useRef(e);D.useEffect(function(){s.current=e},[e]),D.useEffect(function(){if(e.inert){document.body.classList.a
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

web-dist/assets/index-Bg0bRLch.jsView on unpkg · L100
10patternName = google_api_key severity = high line = 10 matchedText = `).repla...AZZX
High
Secret Pattern

Google API key in web-dist/assets/index-Bg0bRLch.js

web-dist/assets/index-Bg0bRLch.jsView on unpkg · L10
web-dist/assets/Assistant-Bold-gm-uSS1B.woff2View file
path = web-dist/assets/Assistant-Bold-gm-uSS1B.woff2 kind = high_entropy_blob sizeBytes = 20380 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

web-dist/assets/Assistant-Bold-gm-uSS1B.woff2View on unpkg
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @aidraw/agentdraw@0.1.12 matchedIdentity = npm:QGFpZHJhdy9hZ2VudGRyYXc:0.1.12 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

3 Critical3 High4 Medium7 Low
CriticalCritical Secretweb-dist/assets/subset-shared.chunk-62dPLQau.js
CriticalTrojan Source Unicodeweb-dist/assets/index-Bg0bRLch.js
CriticalSecret Patternweb-dist/assets/subset-shared.chunk-62dPLQau.js
HighShips High Entropy Blobweb-dist/assets/Assistant-Bold-gm-uSS1B.woff2
HighPrevious Version Dangerous Deltadist/index.js
HighSecret Patternweb-dist/assets/index-Bg0bRLch.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalweb-dist/assets/subset-shared.chunk-62dPLQau.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings