registry  /  @axhub/acp  /  0.1.9

@axhub/acp@0.1.9

Experimental sibling project for validating an ACP + [assistant-ui](https://github.com/assistant-ui/assistant-ui) migration path.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes the cc-connect web launch feature at runtime.
Impact
Creates/updates a local AI-adjacent service configuration with wildcard CORS and starts a local management/bridge service.
Mechanism
Writes cc-connect service configuration, then executes a local or npx cc-connect command.
Rationale
The package is not malicious by the inspected source: there is no install-time execution, covert payload, or confirmed exfiltration. Its explicit runtime cc-connect setup mutates an external service configuration and executes a package command, so it warrants a warning rather than a block.
Evidence
package.jsonbin/acp.mjsdist/lib/cc-connect/launcher.mjsdist/lib/acp2aisdk/provider-versions.mjspublic/image-playground/assets/KaTeX_Script-Regular-D3wIWfF6.woff2~/.cc-connect/config.toml
Network endpoints1
localhost:9820

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/lib/cc-connect/launcher.mjs` writes `~/.cc-connect/config.toml`, enabling bridge and management services with generated tokens and wildcard CORS.
  • The same launcher invokes `cc-connect` or `npx -y cc-connect` and spawns its web service after a runtime launch request.
  • `bin/acp.mjs` starts the package's Next web UI only when the user runs the `acp` CLI.
  • `dist/lib/acp2aisdk/provider-versions.mjs` fetches npm registry metadata for provider-version checks.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, `prepare`, or uninstall lifecycle hook.
  • No inspected source exfiltrates environment values, local files, or generated cc-connect tokens to a non-local endpoint.
  • The cc-connect configuration and process launch are confined to exported runtime functionality, not package installation or import.
  • `bin/acp.mjs` uses `spawn` to run the bundled Next server with parsed user/environment options.
  • The high-entropy flagged asset is a KaTeX font file, not an executable payload.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
Manifest
NoLicense
scanned 187 file(s), 1.76 MB of source, external domains: 127.0.0.1, api.example.com, api.openai.com, client.example.com, docs.fal.ai, github.com, react.dev, registry.npmjs.org, www.ifdian.net, www.w3.org

Source & flagged code

6 flagged · loading source
bin/acp.mjsView file
2L3: import { spawn } from "node:child_process"; L4: import { existsSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/acp.mjsView on unpkg · L2
dist/lib/acp2aisdk/provider-command.mjsView file
3import path from "node:path"; L4: const WINDOWS_COMMAND_PROCESSOR = "cmd.exe"; L5: const POSIX_GUI_PATHS = [
High
Shell

Package source references shell execution.

dist/lib/acp2aisdk/provider-command.mjsView on unpkg · L3
dist/lib/conversations/client-adapter.mjsView file
279if (externalRepo.messages.length === 0) { L280: aui.thread().import({ messages: [] }); L281: }
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/lib/conversations/client-adapter.mjsView on unpkg · L279
dist/lib/cc-connect/launcher.mjsView file
1var _a; L2: import { execFile, spawn } from "node:child_process"; L3: import { randomBytes } from "node:crypto"; ... L8: const execFileAsync = promisify(execFile); L9: const DEFAULT_CC_CONNECT_WEB_URL = "http://localhost:9820"; L10: const DEFAULT_CC_CONNECT_CONFIG_PATH = path.join(os.homedir(), ".cc-connect", "config.toml"); L11: const DEFAULT_CC_CONNECT_COMMAND = "cc-connect"; L12: const CC_CONNECT_PACKAGE = ((_a = process.env.CC_CONNECT_PACKAGE) === null || _a === void 0 ? void 0 : _a.trim()) || "cc-connect"; L13: const DEFAULT_STARTUP_TIMEOUT_MS = 30000;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/lib/cc-connect/launcher.mjsView on unpkg · L1
public/image-playground/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View file
path = public/image-playground/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 kind = high_entropy_blob sizeBytes = 9644 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

public/image-playground/assets/KaTeX_Script-Regular-D3wIWfF6.woff2View on unpkg
dist/lib/acp2aisdk/provider-versions.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @axhub/acp@0.1.8 matchedIdentity = npm:QGF4aHViL2FjcA:0.1.8 similarity = 0.917 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/lib/acp2aisdk/provider-versions.mjsView on unpkg

Findings

5 High4 Medium5 Low
HighChild Processbin/acp.mjs
HighShelldist/lib/acp2aisdk/provider-command.mjs
HighSame File Env Network Executiondist/lib/cc-connect/launcher.mjs
HighShips High Entropy Blobpublic/image-playground/assets/KaTeX_Script-Regular-D3wIWfF6.woff2
HighPrevious Version Dangerous Deltadist/lib/acp2aisdk/provider-versions.mjs
MediumDynamic Requiredist/lib/conversations/client-adapter.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License