registry  /  @antseed/cli  /  0.1.133

@antseed/cli@0.1.133

Broken transitive dependency pin via @antseed/node 0.2.97. Use @antseed/cli >=0.1.134.

Antseed Network CLI and Web Dashboard

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Configured first-party plugins may be refreshed from npm at runtime and then dynamically imported into the CLI process. This is a package-owned extension lifecycle risk, not confirmed malware.

Static reason
No blocking static signals were detected.
Trigger
User runs `antseed seller start` or `antseed buyer start` with a configured trusted plugin whose dependency tree is stale or missing.
Impact
A newly fetched trusted plugin can execute with the invoking user's CLI permissions.
Mechanism
Automatic latest-version plugin installation followed by dynamic import.
Rationale
No concrete malicious behavior or install-time foreign control-surface mutation was found. Downgrade to warn because user-invoked runtime automatically fetches and executes first-party plugin code at `@latest`.
Evidence
package.jsondist/plugins/drift.jsdist/plugins/loader.jsdist/plugins/manager.jsdist/cli/commands/seller/start.jsdist/cli/commands/buyer/start.js~/.antseed/plugins/package.json

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/plugins/drift.js` refreshes selected trusted plugins with `npm install --ignore-scripts <plugin>@latest`.
  • `dist/cli/commands/seller/start.js` and `dist/cli/commands/buyer/start.js` invoke refresh before dynamically importing selected plugins.
  • `dist/plugins/loader.js` installs missing trusted plugins and imports their on-disk entrypoints.
  • `dist/system-proxy/ca-manager.js` can install a local CA, but only via the explicit `system-proxy install-ca` command.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` hook.
  • Plugin installation uses `--ignore-scripts`, limiting lifecycle execution during install.
  • No source evidence of credential harvesting, secret exfiltration, or covert remote payload loading by this package.
  • System proxy and CA changes are behind explicit CLI subcommands rather than import/install-time execution.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 90 file(s), 662 KB of source, external domains: 127.0.0.1, antseed.com, api.anthropic.com, api.together.ai, app.example.test, base.drpc.org, base.example, base.llamarpc.com, base.publicnode.com, configured-rpc.example, dedicated-base-rpc.example, env-rpc.example, example.com, flag-rpc.example, github.com, local.invalid, mainnet.base.org, rpc.example.com, sepolia.base.org

Source & flagged code

1 flagged · loading source
dist/plugins/loader.jsView file
41try { L42: mod = await import(pathToFileURL(resolved).href); L43: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/plugins/loader.jsView on unpkg · L41

Findings

3 Medium5 Low
MediumDynamic Requiredist/plugins/loader.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License