AI Security Review
scanned 10d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a user-invoked AI E2E test planner that reads a project, generates local artifacts, optionally tests a user-provided local SDK endpoint, and uploads artifacts to Autonoma with configured credentials.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs autonoma-planner or npx @autonoma-ai/planner
Impact
Project code and generated test artifacts may be sent to Autonoma/OpenRouter-aligned services during intended planner operation; no install-time execution or hidden exfiltration found.
Mechanism
AI-assisted codebase analysis and artifact generation/upload
Rationale
The suspicious primitives are aligned with the advertised CLI: AI model calls, constrained codebase exploration, local artifact writes, optional Autonoma upload, analytics with opt-out, and user-mediated local endpoint testing. There are no lifecycle hooks, hidden persistence, credential harvesting beyond documented Autonoma env use, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonREADME.mddist/index.js~/.autonoma/.device-id~/.autonoma/.env<projectRoot>/.env~/.autonoma/<project-slug>/AUTONOMA.md~/.autonoma/<project-slug>/scenarios.md~/.autonoma/<project-slug>/entity-audit.md~/.autonoma/<project-slug>/recipe.json~/.autonoma/<project-slug>/qa-tests/**/*.md/tmp/autonoma-recipe-<entity>.json
Network endpoints5
autonoma.appautonoma.app/v1/llm-proxyus.i.posthog.com/capture/docs.autonoma.appuser-provided SDK endpoint such as http://localhost:3000/api/autonoma
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
- dist/index.js sends analytics to PostHog unless DONT_TRACK is set
- dist/index.js uploads generated artifacts/test cases to Autonoma when token and generation id are configured
- dist/index.js exposes an AI bash tool using sh -c, but with a small allowlist and no chaining/redirection
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks
- package.json bin points to user-invoked dist/index.js CLI
- dist/index.js requires AUTONOMA_API_TOKEN before main run and uses Autonoma/OpenRouter endpoints for planner LLM work
- dist/index.js bash allowlist is git,wc,sort,head,tail,cat,ls,find,diff,echo with 30s timeout
- dist/index.js writes outputs under ~/.autonoma/<project-slug> and temp recipe files, matching README behavior
- README.md documents codebase analysis, artifact upload, env vars, and opt-out analytics
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcedist/index.jsView file
425// src/core/notify.ts
L426: import { execFile as execFile2 } from "child_process";
L427: import { platform } from "os";
High
420DEFAULT_MODEL = "google/gemini-3-flash-preview";
L421: DEFAULT_API_URL = "https://autonoma.app";
L422: }
...
L425: // src/core/notify.ts
L426: import { execFile as execFile2 } from "child_process";
L427: import { platform } from "os";
L428: function notify(title, message) {
L429: process.stderr.write("\x07");
L430: const os = platform();
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L4203989patternName = generic_password
severity = medium
line = 3989
matchedText = - Email/... } }
Medium
2430patternName = generic_password
severity = medium
line = 2430
matchedText = // Sugge...' })
Medium
Findings
3 High5 Medium5 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumSecret Patterndist/index.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/index.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License