registry  /  @bsklaroff/yaac  /  0.0.3

@bsklaroff/yaac@0.0.3

Agent sandbox manager

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs yaac CLI commands such as auth update, open/daemon, cluster setup, or session create.
Impact
Can store credentials locally, proxy-inject them to aligned services, and run configured agents with broad permissions inside yaac-managed Kubernetes sessions.
Mechanism
Explicit-user-command agent orchestration and project-owned agent config mutation.
Rationale
Source inspection shows a legitimate agent sandbox manager with high-risk but documented, user-invoked agent and Kubernetes orchestration. Because it mutates agent configs and hooks during explicit setup/session flows, warn rather than block.
Evidence
package.jsondist/cli.jsdist/k8s/proxy/entrypoint.shdist/k8s/proxy/proxy.tsREADME.md~/.yaac/.credentials/*.json~/.yaac/projects/<project>/codex/hooks.json~/.yaac/projects/<project>/codex/config.toml~/.yaac/projects/<project>/codex/.yaac-hook.sh~/.yaac/projects/<project>/claude/settings.json~/.yaac/projects/<project>/opencode-config/opencode.json
Network endpoints6
claude.ai/install.shapi.anthropic.comapi.openai.comgithub.comopenrouter.aiapi.neuralwatt.com

Decision evidence

public snapshot
AI called this Suspicious at 80.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json exposes bin yaac -> dist/cli.js
  • dist/cli.js user-invoked session creation writes Codex hooks/config and Claude/OpenCode settings under ~/.yaac project dirs
  • dist/cli.js runs agent CLIs with permissive modes such as codex --yolo and claude --dangerously-skip-permissions
  • dist/cli.js stores host credentials under ~/.yaac/.credentials and proxy-injects them into aligned service traffic
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • dist/cli.js top level defines CLI commands; actions require explicit yaac commands or daemon/web use
  • Daemon binds 127.0.0.1 and uses bearer/bootstrap auth for local web access
  • Network endpoints are package-aligned: api.anthropic.com, api.openai.com, github.com, openrouter.ai, api.neuralwatt.com, claude.ai
  • Credential handling is documented in README.md and tied to local sandbox/proxy functionality
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 8 file(s), 1.75 MB of source, external domains: 127.0.0.1, daemon.local, get.helm.sh, github.com, kubernetes.io, react.dev, www.w3.org

Source & flagged code

7 flagged · loading source
dist/cli.jsView file
24get dataDirOverride() { L25: return process.env.YAAC_DATA_DIR; L26: }, ... L142: /** `YAAC_E2E_SKIP_FETCH` — `1` skips the host-side git fetch during create. */ L143: get e2eSkipFetch() { L144: return process.env.YAAC_E2E_SKIP_FETCH === "1"; ... L183: try { L184: const parsed = JSON.parse(raw); L185: if (Array.isArray(parsed) && parsed.length > 0 && parsed.every((p) => typeof p === "string")) { ... L193: // src/shared/paths.ts L194: var __dirname = path.dirname(fileURLToPath(import.meta.url)); L195: function findPackageRoot(from) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/cli.jsView on unpkg · L24
24Trigger-reachable chain: manifest.bin -> dist/cli.js L24: get dataDirOverride() { L25: return process.env.YAAC_DATA_DIR; L26: }, ... L142: /** `YAAC_E2E_SKIP_FETCH` — `1` skips the host-side git fetch during create. */ L143: get e2eSkipFetch() { L144: return process.env.YAAC_E2E_SKIP_FETCH === "1"; ... L183: try { L184: const parsed = JSON.parse(raw); L185: if (Array.isArray(parsed) && parsed.length > 0 && parsed.every((p) => typeof p === "string")) { ... L193: // src/shared/paths.ts L194: var __dirname = path.dirname(fileURLToPath(import.meta.url)); L195: function findPackageRoot(from) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.jsView on unpkg · L24
24get dataDirOverride() { L25: return process.env.YAAC_DATA_DIR; L26: }, ... L142: /** `YAAC_E2E_SKIP_FETCH` — `1` skips the host-side git fetch during create. */ L143: get e2eSkipFetch() { L144: return process.env.YAAC_E2E_SKIP_FETCH === "1"; ... L183: try { L184: const parsed = JSON.parse(raw); L185: if (Array.isArray(parsed) && parsed.length > 0 && parsed.every((p) => typeof p === "string")) { ... L193: // src/shared/paths.ts L194: var __dirname = path.dirname(fileURLToPath(import.meta.url)); L195: function findPackageRoot(from) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L24
dist/k8s/proxy/entrypoint.shView file
path = dist/k8s/proxy/entrypoint.sh kind = build_helper sizeBytes = 1062 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/k8s/proxy/entrypoint.shView on unpkg
dist/k8s/vcluster/vcluster-0.34.3.tgzView file
path = dist/k8s/vcluster/vcluster-0.34.3.tgz kind = compressed_blob sizeBytes = 69710 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/k8s/vcluster/vcluster-0.34.3.tgzView on unpkg
path = dist/k8s/vcluster/vcluster-0.34.3.tgz kind = nested_archive_needs_inspection sizeBytes = 69710 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/k8s/vcluster/vcluster-0.34.3.tgzView on unpkg
dist/frontend/assets/inter-greek-wght-normal-CkhJZR-_.woff2View file
path = dist/frontend/assets/inter-greek-wght-normal-CkhJZR-_.woff2 kind = high_entropy_blob sizeBytes = 18996 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/frontend/assets/inter-greek-wght-normal-CkhJZR-_.woff2View on unpkg

Findings

2 Critical1 High6 Medium6 Low
CriticalCredential Exfiltrationdist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
HighShips High Entropy Blobdist/frontend/assets/inter-greek-wght-normal-CkhJZR-_.woff2
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumShips Build Helperdist/k8s/proxy/entrypoint.sh
MediumShips Compressed Blobdist/k8s/vcluster/vcluster-0.34.3.tgz
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist/k8s/vcluster/vcluster-0.34.3.tgz