registry  /  @autonoma-ai/planner  /  0.1.17

@autonoma-ai/planner@0.1.17

Autonoma test planner - generate E2E test cases for any frontend codebase.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a user-invoked CLI that reads project files, runs constrained discovery commands, writes generated test-planning artifacts, and optionally uploads them to Autonoma.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs autonoma-planner or npx @autonoma-ai/planner.
Impact
Generates local E2E planning artifacts and uploads them when configured by Autonoma credentials; no evidence of credential harvesting, persistence, destructive behavior, or install-time execution.
Mechanism
Package-aligned AI test planner CLI with constrained local tools and optional uploads
Rationale
Static inspection shows suspicious primitives are tied to the advertised planner workflow and are user-invoked, constrained, or credential-gated. I found no lifecycle execution, unconsented exfiltration, destructive code, persistence, dependency confusion, or AI-agent control-surface mutation.
Evidence
package.jsonREADME.mddist/index.js~/.autonoma/.device-id~/.autonoma/.env<projectRoot>/.env~/.autonoma/<project-slug>/AUTONOMA.md~/.autonoma/<project-slug>/scenarios.md~/.autonoma/<project-slug>/entity-audit.md~/.autonoma/<project-slug>/recipe.json~/.autonoma/<project-slug>/qa-tests/
Network endpoints5
autonoma.appautonoma.app/v1/llm-proxyus.i.posthog.com/capture/docs.autonoma.applocalhost:3000/api/autonoma

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/index.js provides an AI tool that can run allowlisted shell commands via sh -c when the user runs the CLI.
  • dist/index.js sends analytics to PostHog by default unless DONT_TRACK is set.
  • dist/index.js uploads generated artifacts/recipes to Autonoma when AUTONOMA_API_TOKEN and AUTONOMA_GENERATION_ID are configured.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle scripts; execution is via the autonoma-planner bin only.
  • README.md describes the package purpose as an E2E test planner that reads a frontend repo, writes artifacts, and uploads them to Autonoma.
  • dist/index.js constrains .env loading to an allowlist of Autonoma-related keys, not arbitrary secrets.
  • dist/index.js write-file tools write under the output directory and reject paths escaping it.
  • dist/index.js shell tool allows only git,wc,sort,head,tail,cat,ls,find,diff,echo and rejects chaining/redirects/subshells.
  • Network endpoints are package-aligned: autonoma.app, docs.autonoma.app, configured local SDK endpoint, and PostHog analytics.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 1 file(s), 301 KB of source, external domains: autonoma.app, docs.autonoma.app, us.i.posthog.com

Source & flagged code

4 flagged · loading source
dist/index.jsView file
446// src/core/notify.ts L447: import { execFile as execFile2 } from "child_process"; L448: import { platform } from "os";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L446
441DEFAULT_MODEL = "google/gemini-3-flash-preview"; L442: DEFAULT_API_URL = "https://autonoma.app"; L443: } ... L446: // src/core/notify.ts L447: import { execFile as execFile2 } from "child_process"; L448: import { platform } from "os"; L449: function notify(title, message) { L450: process.stderr.write("\x07"); L451: const os = platform();
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L441
4010patternName = generic_password severity = medium line = 4010 matchedText = - Email/... } }
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/index.jsView on unpkg · L4010
2451patternName = generic_password severity = medium line = 2451 matchedText = // Sugge...' })
Medium
Secret Pattern

Hardcoded password in dist/index.js

dist/index.jsView on unpkg · L2451

Findings

3 High5 Medium5 Low
HighChild Processdist/index.js
HighShell
HighCommand Output Exfiltrationdist/index.js
MediumSecret Patterndist/index.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndist/index.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License