AI Security Review
scanned 8d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package is a user-invoked CLI that reads project files, runs constrained discovery commands, writes generated test-planning artifacts, and optionally uploads them to Autonoma.
Static reason
One or more suspicious static signals were detected.
Trigger
User runs autonoma-planner or npx @autonoma-ai/planner.
Impact
Generates local E2E planning artifacts and uploads them when configured by Autonoma credentials; no evidence of credential harvesting, persistence, destructive behavior, or install-time execution.
Mechanism
Package-aligned AI test planner CLI with constrained local tools and optional uploads
Rationale
Static inspection shows suspicious primitives are tied to the advertised planner workflow and are user-invoked, constrained, or credential-gated. I found no lifecycle execution, unconsented exfiltration, destructive code, persistence, dependency confusion, or AI-agent control-surface mutation.
Evidence
package.jsonREADME.mddist/index.js~/.autonoma/.device-id~/.autonoma/.env<projectRoot>/.env~/.autonoma/<project-slug>/AUTONOMA.md~/.autonoma/<project-slug>/scenarios.md~/.autonoma/<project-slug>/entity-audit.md~/.autonoma/<project-slug>/recipe.json~/.autonoma/<project-slug>/qa-tests/
Network endpoints5
autonoma.appautonoma.app/v1/llm-proxyus.i.posthog.com/capture/docs.autonoma.applocalhost:3000/api/autonoma
Decision evidence
public snapshotAI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
- dist/index.js provides an AI tool that can run allowlisted shell commands via sh -c when the user runs the CLI.
- dist/index.js sends analytics to PostHog by default unless DONT_TRACK is set.
- dist/index.js uploads generated artifacts/recipes to Autonoma when AUTONOMA_API_TOKEN and AUTONOMA_GENERATION_ID are configured.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle scripts; execution is via the autonoma-planner bin only.
- README.md describes the package purpose as an E2E test planner that reads a frontend repo, writes artifacts, and uploads them to Autonoma.
- dist/index.js constrains .env loading to an allowlist of Autonoma-related keys, not arbitrary secrets.
- dist/index.js write-file tools write under the output directory and reject paths escaping it.
- dist/index.js shell tool allows only git,wc,sort,head,tail,cat,ls,find,diff,echo and rejects chaining/redirects/subshells.
- Network endpoints are package-aligned: autonoma.app, docs.autonoma.app, configured local SDK endpoint, and PostHog analytics.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
NoLicense
Source & flagged code
4 flagged · loading sourcedist/index.jsView file
446// src/core/notify.ts
L447: import { execFile as execFile2 } from "child_process";
L448: import { platform } from "os";
High
441DEFAULT_MODEL = "google/gemini-3-flash-preview";
L442: DEFAULT_API_URL = "https://autonoma.app";
L443: }
...
L446: // src/core/notify.ts
L447: import { execFile as execFile2 } from "child_process";
L448: import { platform } from "os";
L449: function notify(title, message) {
L450: process.stderr.write("\x07");
L451: const os = platform();
High
Command Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L4414010patternName = generic_password
severity = medium
line = 4010
matchedText = - Email/... } }
Medium
2451patternName = generic_password
severity = medium
line = 2451
matchedText = // Sugge...' })
Medium
Findings
3 High5 Medium5 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumSecret Patterndist/index.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/index.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License