registry  /  @bolloon/bolloon-agent  /  0.2.5

@bolloon/bolloon-agent@0.2.5

P2P AI Document Agent - 全局安装后执行 `bolloon` 启动产品

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface was established. The package is a P2P/LLM document agent with explicit CLI/web runtime behavior, local state writes, provider API calls, and user-invoked harness commands that can append AGENTS.md/CLAUDE.md.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Explicit user execution of bolloon CLI, web server, update flags, or harness commands; npm install attempts declared missing postinstall script.
Impact
Runtime can contact configured LLM/P2P services and write local .bolloon state; AGENTS.md/CLAUDE.md writes require explicit harness commands and were not lifecycle-triggered.
Mechanism
CLI-spawned agent runtime with local P2P/LLM integrations and explicit harness write-back commands.
Rationale
Scanner findings map to a real agent application with broad runtime capabilities, but source inspection did not confirm unconsented lifecycle execution, credential exfiltration, destructive behavior, or covert AI-agent control mutation. The risky AGENTS.md/CLAUDE.md writes are explicit harness command behavior rather than install/import-time compromise.
Evidence
package.jsonbin/bolloon-cli.cjsbin/bolloon.cjsdist/cli-entry.jsdist/index.jsdist/utils/auto-update.jsdist/security/input-scanner.jsdist/heartbeat/StartupVerifier.jsdist/llm/pi-ai.jsdist/bootstrap/lifecycle-hooks.jsdist/agents/shell-tool.jsdist/network/known-peers.jsscripts/postinstall.jsbin/ipfs
Network endpoints12
api.openai.com/v1api.anthropic.com/v1localhost:11434openrouter.ai/api/v1generativelanguage.googleapis.com/v1betaapi.minimaxi.com/v1api.deepseek.com/v1api.moonshot.cn/v1open.bigmodel.cn/api/paas/v4dashscope.aliyuncs.com/compatible-mode/v1api.xiaomi.com/v1registry.npmjs.org/

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json declares postinstall, but scripts/postinstall.js is absent from shipped files; install would fail rather than run hidden code.
  • dist/index.js starts network/bootstrap logic only when CLI entry executes; no import-time payload beyond main entry use.
  • User-invoked harness commands append AGENTS.md/CLAUDE.md in cwd, creating an AI-agent control-surface write capability.
  • bin/ipfs is a large native binary shipped for local IPFS/P2P functionality.
Evidence against
  • bin/bolloon-cli.cjs and dist/cli-entry.js only spawn packaged dist/electron.js or dist/index.js on explicit bolloon CLI use.
  • dist/utils/auto-update.js disables update checks by default and requires --update-check/--update-now/--allow-update or BOLLOON_AUTO_UPDATE=1.
  • dist/llm/pi-ai.js sends configured API keys only to selected LLM provider endpoints or env-overridden base URLs.
  • dist/security/input-scanner.js unicode/control-character logic is a scanner for user input, not a Trojan Source payload.
  • dist/web/server.js binds to 127.0.0.1 by default unless BOLLOON_HOST is set.
  • No credential harvesting, destructive filesystem action, persistence install, or covert exfiltration found in inspected entrypoints.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 253 file(s), 2.09 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.deepseek.com, api.minimaxi.com, api.moonshot.cn, api.openai.com, api.xiaomi.com, ark.cn-beijing.volces.com, dashscope.aliyuncs.com, esm.sh, eth.llamarpc.com, example.com, generativelanguage.googleapis.com, github.com, open.bigmodel.cn, openclaw.ai, openrouter.ai, platform.minimaxi.com, registry.npmjs.org, www.google.com, www.volcengine.com

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/bolloon.cjsView file
1#!/usr/bin/env node L2: const path = require("path"); L3: const { spawn } = require("child_process");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/bolloon.cjsView on unpkg · L1
dist/heartbeat/StartupVerifier.jsView file
89package = @bolloon/bolloon-agent; repositoryIdentity = bolloon; dependency = @diap/sdk L89: try { L90: await import('@diap/sdk'); L91: this.completeCheck('p2p_modules', true, '@diap/sdk available');
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/heartbeat/StartupVerifier.jsView on unpkg · L89
dist/security/input-scanner.jsView file
56contains invisible/control Unicode U+200B (zero width space) const WHITESPACE_ANOMALY_RE = /[<U+200B>-<U+200F><U+FEFF>]{5,}/g;
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/security/input-scanner.jsView on unpkg · L56
bin/ipfsView file
path = bin/ipfs kind = native_binary sizeBytes = 77977152 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/ipfsView on unpkg
bin/bolloon.cmdView file
path = bin/bolloon.cmd kind = build_helper sizeBytes = 230 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/bolloon.cmdView on unpkg
dist/web/icons/favicon.icnsView file
path = dist/web/icons/favicon.icns kind = high_entropy_blob sizeBytes = 467940 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/web/icons/favicon.icnsView on unpkg
dist/cli-entry.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @bolloon/bolloon-agent@0.2.4 matchedIdentity = npm:QGJvbGxvb24vYm9sbG9vbi1hZ2VudA:0.2.4 similarity = 0.983 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli-entry.jsView on unpkg

Findings

2 Critical3 High7 Medium4 Low
CriticalTrojan Source Unicodedist/security/input-scanner.js
CriticalPrevious Version Dangerous Deltadist/cli-entry.js
HighInstall Time Lifecycle Scriptspackage.json
HighCopied Package Dependency Bridgedist/heartbeat/StartupVerifier.js
HighShips High Entropy Blobdist/web/icons/favicon.icns
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/bolloon.cjs
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarybin/ipfs
MediumShips Build Helperbin/bolloon.cmd
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings