registry  /  @autonoma-ai/planner  /  0.1.15

@autonoma-ai/planner@0.1.15

Autonoma test planner - generate E2E test cases for any frontend codebase.

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked AI E2E test planner that reads a project, generates local artifacts, optionally tests a user-provided local SDK endpoint, and uploads artifacts to Autonoma with configured credentials.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs autonoma-planner or npx @autonoma-ai/planner
Impact
Project code and generated test artifacts may be sent to Autonoma/OpenRouter-aligned services during intended planner operation; no install-time execution or hidden exfiltration found.
Mechanism
AI-assisted codebase analysis and artifact generation/upload
Rationale
The suspicious primitives are aligned with the advertised CLI: AI model calls, constrained codebase exploration, local artifact writes, optional Autonoma upload, analytics with opt-out, and user-mediated local endpoint testing. There are no lifecycle hooks, hidden persistence, credential harvesting beyond documented Autonoma env use, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonREADME.mddist/index.js~/.autonoma/.device-id~/.autonoma/.env<projectRoot>/.env~/.autonoma/<project-slug>/AUTONOMA.md~/.autonoma/<project-slug>/scenarios.md~/.autonoma/<project-slug>/entity-audit.md~/.autonoma/<project-slug>/recipe.json~/.autonoma/<project-slug>/qa-tests/**/*.md/tmp/autonoma-recipe-<entity>.json
Network endpoints5
autonoma.appautonoma.app/v1/llm-proxyus.i.posthog.com/capture/docs.autonoma.appuser-provided SDK endpoint such as http://localhost:3000/api/autonoma

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/index.js sends analytics to PostHog unless DONT_TRACK is set
  • dist/index.js uploads generated artifacts/test cases to Autonoma when token and generation id are configured
  • dist/index.js exposes an AI bash tool using sh -c, but with a small allowlist and no chaining/redirection
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks
  • package.json bin points to user-invoked dist/index.js CLI
  • dist/index.js requires AUTONOMA_API_TOKEN before main run and uses Autonoma/OpenRouter endpoints for planner LLM work
  • dist/index.js bash allowlist is git,wc,sort,head,tail,cat,ls,find,diff,echo with 30s timeout
  • dist/index.js writes outputs under ~/.autonoma/<project-slug> and temp recipe files, matching README behavior
  • README.md documents codebase analysis, artifact upload, env vars, and opt-out analytics
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 299 KB of source, external domains: autonoma.app, docs.autonoma.app, us.i.posthog.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
425// src/core/notify.ts L426: import { execFile as execFile2 } from "child_process"; L427: import { platform } from "os";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L425
420DEFAULT_MODEL = "google/gemini-3-flash-preview"; L421: DEFAULT_API_URL = "https://autonoma.app"; L422: } ... L425: // src/core/notify.ts L426: import { execFile as execFile2 } from "child_process"; L427: import { platform } from "os"; L428: function notify(title, message) { L429: process.stderr.write("\x07"); L430: const os = platform();
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L420
3989patternName = generic_password severity = medium line = 3989 matchedText = - Email/... } }
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.jsView on unpkg · L3989
2430patternName = generic_password severity = medium line = 2430 matchedText = // Sugge...' })
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L2430

Findings

3 High5 Medium5 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumSecret Patterndist/index.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/index.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License