registry  /  @botiverse/raft-daemon  /  0.66.0

@botiverse/raft-daemon@0.66.0

AI Security Review

scanned 7d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Slock/Raft daemon and bundled CLI that, when explicitly run with server credentials, connects to a Slock server and manages local AI agent runtimes.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs raft-daemon/slock-daemon with --server-url and --api-key, or invokes exported CLI helpers.
Impact
Can spawn configured agent CLIs and read/write Slock runtime/workspace state as part of the daemon product behavior; no unconsented install/import-time behavior found.
Mechanism
package-aligned daemon, WebSocket client, and local AI runtime process manager
Rationale
Static inspection shows dangerous primitives, but they are the expected runtime surface of an explicitly launched daemon/CLI for managing Slock agents, not hidden lifecycle execution or credential exfiltration. No malicious install-time, import-time, persistence, destructive, or unauthorized AI-agent control-surface mutation was found.
Evidence
package.jsondist/index.jsdist/core.jsdist/chunk-EX73HXGE.jsdist/dist-PCKZII47.jsdist/cli/index.jsdist/raft-daemon.jsdist/slock-daemon.js~/.slock/agents/<agent>/.slock/slock~/.slock/agents/<agent>/.slock/raft~/.slock/agent-proxy-tokens/<agent>/<launch>.token~/.slock/profiles/<slug>/credential.json
Network endpoints4
<user-provided --server-url>/daemon/connect?key=<apiKey>slock-trace-upload.botiverse.devapp.slock.ai/schemas/agent-manifest.v0.jsonapi.slock.ai

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hook; prepack/prepublishOnly are publish-time build scripts.
    • dist/index.js only parses --server-url/--api-key and starts DaemonCore when bin is invoked.
    • dist/chunk-EX73HXGE.js WebSocket connects to user-provided serverUrl with provided apiKey.
    • child_process usage spawns named AI/runtime CLIs such as claude, codex, gemini, cursor-agent, copilot, opencode after server/user start requests.
    • credential/env handling writes scoped Slock agent token files under ~/.slock and deletes raw credential env vars before spawning child agents.
    • dist/dist-PCKZII47.js is bundled raft/slock CLI code imported by runBundledSlockCli, not an install-time payload.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsObfuscatedUrlStrings
    Manifest
    NoLicense
    scanned 8 file(s), 3.09 MB of source, external domains: app.slock.ai, fetch.spec.whatwg.org, github.com, json-schema.org, manifest.local, mimesniff.spec.whatwg.org, opencode.ai, slock.example.com, webidl.spec.whatwg.org, www.ietf.org
    Oversized source lightweight scan
    dist/cli/index.js2.02 MB file, sampled 256 KB
    FilesystemNetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStringsapp.slock.aimanifest.local

    Source & flagged code

    7 flagged · loading source
    dist/chunk-EX73HXGE.jsView file
    677Cross-file remote execution chain: dist/chunk-EX73HXGE.js spawns dist/dist-PCKZII47.js; helper contains network access plus dynamic code execution. L677: const [a, b] = ipv4.slice(1).map((part) => Number(part)); L678: if (a === 10 || a === 172 && b >= 16 && b <= 31 || a === 192 && b === 168 || a === 169 && b === 254) return "private"; L679: } ... L1166: end(status, options) { L1167: this.span.end(status, options ? { L1168: ...options, ... L3714: // src/proxy.ts L3715: import { HttpsProxyAgent } from "https-proxy-agent"; L3716: import { ProxyAgent } from "undici"; ... L3811: // src/daemonFetch.ts L3812: function withDaemonFetchProxy(input, init = {}, env = process.env) { L3813: const dispatcher = buildFetchDispatcher(input.toString(), env);
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/chunk-EX73HXGE.jsView on unpkg · L677
    12487patternName = generic_password severity = medium line = 12487 matchedText = if (url....D]";
    Medium
    Secret Pattern

    Package contains a possible secret pattern.

    dist/chunk-EX73HXGE.jsView on unpkg · L12487
    dist/dist-PCKZII47.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @botiverse/raft-daemon@0.65.0 matchedIdentity = npm:QGJvdGl2ZXJzZS9yYWZ0LWRhZW1vbg:0.65.0 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version.

    dist/dist-PCKZII47.jsView on unpkg
    12import path3 from "path"; L13: import { spawn } from "child_process"; L14: import { mkdir, readFile, stat, writeFile } from "fs/promises";
    High
    Child Process

    Package source references child process execution.

    dist/dist-PCKZII47.jsView on unpkg · L12
    1846} L1847: const execArgv = process3.execArgv ?? []; L1848: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
    High
    Shell

    Package source references shell execution.

    dist/dist-PCKZII47.jsView on unpkg · L1846
    dist/cli/index.jsView file
    path = dist/cli/index.js kind = oversized_source_file sizeBytes = 2113899 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    dist/cli/index.jsView on unpkg
    path = dist/cli/index.js kind = oversized_cli_entrypoint sizeBytes = 2113899 magicHex = [redacted]
    Medium
    Oversized Cli Entrypoint

    Package contains an oversized executable-looking CLI entrypoint.

    dist/cli/index.jsView on unpkg

    Findings

    1 Critical4 High5 Medium7 Low
    CriticalPrevious Version Dangerous Deltadist/dist-PCKZII47.js
    HighChild Processdist/dist-PCKZII47.js
    HighShelldist/dist-PCKZII47.js
    HighCross File Remote Execution Contextdist/chunk-EX73HXGE.js
    HighOversized Source Filedist/cli/index.js
    MediumSecret Patterndist/chunk-EX73HXGE.js
    MediumNetwork
    MediumEnvironment Vars
    MediumOversized Cli Entrypointdist/cli/index.js
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License