registry  /  @autonoma-ai/planner  /  0.1.16

@autonoma-ai/planner@0.1.16

Autonoma test planner - generate E2E test cases for any frontend codebase.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an authenticated CLI agent that reads a target project, generates E2E planning artifacts, can run constrained inspection commands, and uploads outputs to Autonoma only when configured.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs the autonoma-planner CLI.
Impact
Expected project inspection, local artifact generation, analytics, and optional artifact upload; no confirmed malicious behavior.
Mechanism
User-invoked AI planning CLI with constrained shell/file tools and configured API uploads
Rationale
Static inspection shows suspicious primitives are core to a documented planner CLI: authenticated LLM/API calls, opt-out analytics, project file reads, local artifact writes, constrained shell inspection, and optional uploads. There is no lifecycle execution, hidden exfiltration, destructive behavior, or concrete malicious payload.
Evidence
package.jsonREADME.mddist/index.js~/.autonoma/.device-id~/.autonoma/.env<projectRoot>/.env~/.autonoma/<projectSlug>/.project-context.json~/.autonoma/<projectSlug>/.pipeline-state.json~/.autonoma/<projectSlug>/AUTONOMA.md~/.autonoma/<projectSlug>/scenarios.md~/.autonoma/<projectSlug>/entity-audit.md~/.autonoma/<projectSlug>/recipe.json~/.autonoma/<projectSlug>/qa-tests//tmp/autonoma-recipe-<entity>.json
Network endpoints7
autonoma.appautonoma.app/v1/llm-proxyautonoma.app/v1/setup/setups/{id}/artifactsautonoma.app/v1/setup/setups/{id}/scenario-recipe-versionsus.i.posthog.com/capture/docs.autonoma.appuser-provided SDK_ENDPOINT_URL

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js exposes an agent bash tool using sh -c for an allowlist of basic commands.
  • dist/index.js uploads generated artifacts/test cases to configured Autonoma setup endpoints when API token and generation id exist.
  • dist/index.js sends analytics/error events to PostHog by default unless DONT_TRACK is set.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; only bin autonoma-planner points to dist/index.js.
  • Network use is package-aligned: Autonoma LLM proxy/API, docs, user SDK endpoint, and PostHog analytics.
  • Project/global .env loading only accepts ENV_KEYS allowlist, not arbitrary env such as PATH or NODE_OPTIONS.
  • File writes are scoped to ~/.autonoma output/state/config, generated qa-tests, temp review JSON, and user-selected output artifacts.
  • Shell/editor execution is runtime/user-invoked through the CLI, with command allowlisting for agent bash and editor prompts.
  • No code found for credential harvesting, persistence, destructive install-time behavior, or unconsented AI-agent control-surface mutation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 301 KB of source, external domains: autonoma.app, docs.autonoma.app, us.i.posthog.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
428// src/core/notify.ts L429: import { execFile as execFile2 } from "child_process"; L430: import { platform } from "os";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L428
423DEFAULT_MODEL = "google/gemini-3-flash-preview"; L424: DEFAULT_API_URL = "https://autonoma.app"; L425: } ... L428: // src/core/notify.ts L429: import { execFile as execFile2 } from "child_process"; L430: import { platform } from "os"; L431: function notify(title, message) { L432: process.stderr.write("\x07"); L433: const os = platform();
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L423
3992patternName = generic_password severity = medium line = 3992 matchedText = - Email/... } }
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.jsView on unpkg · L3992
2433patternName = generic_password severity = medium line = 2433 matchedText = // Sugge...' })
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L2433

Findings

3 High5 Medium5 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumSecret Patterndist/index.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/index.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License