registry  /  @buildautomaton/cli  /  0.1.73

@buildautomaton/cli@0.1.73

CLI for BuildAutomaton: ACP client, WebSocket bridge to backend, and skills (e.g. preview)

AI Security Review

scanned 17h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. When the user runs the bridge CLI, an authenticated BuildAutomaton WebSocket can request installation of skill files. The handler permits traversal-capable server-supplied paths and writes them beneath or outside the bridge root; default output is an AI-agent skill directory.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `buildautomaton`/`ba` and connects its bridge to the configured backend.
Impact
A compromised or malicious backend/session could plant files in agent-discovery paths or escape the intended skill directory; later agent discovery may load the planted extension.
Mechanism
WebSocket-commanded arbitrary skill-file writes and agent installer invocation.
Rationale
Source inspection does not establish malware or install-time compromise, but it does establish a high-risk remote-controlled AI-agent extension installation path with missing path validation. Downgrade to warn rather than block because activation requires user-run authenticated bridge runtime, not unconsented npm lifecycle execution.
Evidence
package.jsondist/cli.jsdist/index.js<bridgeRoot>/.agents/skills/<skillName>/<filePath>~/.buildautomaton/config.json
Network endpoints2
api.buildautomaton.combuildautomaton-firehose.fly.dev

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli.js` accepts `install_skills` messages from its active WebSocket bridge.
  • `dist/cli.js` writes server-supplied skill files with `path.join` and no traversal validation.
  • Default skill target is `.agents/skills`, a discovered AI-agent extension location.
  • `dist/cli.js` can install agents on a bridge message, including `curl | bash` for Cursor.
  • No npm lifecycle hooks are declared in `package.json`.
Evidence against
  • No install-time execution is declared in `package.json`.
  • No `eval`, `new Function`, or decoded-payload execution was found in entrypoints.
  • Base64 decoding is used for JWT/E2EE data and skill bytes, not dynamic code execution.
  • Network defaults are package-aligned BuildAutomaton endpoints.
  • The scanner's remote-decode-execute claim is unsupported by inspected source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
NoLicense
scanned 5 file(s), 3.86 MB of source, external domains: 127.0.0.1, api.buildautomaton.com, app.buildautomaton.com, buildautomaton-firehose.fly.dev, cursor.com, developer.mozilla.org, git-scm.com, github.com, json-schema.org, kiro.dev, stackoverflow.com

Source & flagged code

6 flagged · loading source
dist/index.jsView file
55kStatusCode: Symbol("status-code"), L56: kWebSocket: Symbol("websocket"), L57: NOOP: () => { ... L108: } else { L109: buf = Buffer.from(data); L110: toBuffer.readOnly = false; ... L120: }; L121: if (!process.env.WS_NO_BUFFER_UTIL) { L122: try { ... L172: * L173: * @private L174: */
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/index.jsView on unpkg · L55
Trigger-reachable chain: manifest.main -> dist/index.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg
3692"use strict"; L3693: var childProcess2 = __require("child_process"); L3694: var spawn11 = childProcess2.spawn;
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L3692
30731})(); L30732: var powerShellPathFromWsl = async () => { L30733: const mountPoint = await wslDrivesMountPoint();
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L30731
dist/cli.jsView file
48Cross-file remote execution chain: dist/cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L48: * Constructs the CommanderError class L49: * @param {number} exitCode suggested exit code which could be used with process.exit L50: * @param {string} code an id string representing the error ... L974: var EventEmitter2 = __require("node:events").EventEmitter; L975: var childProcess2 = __require("node:child_process"); L976: var path84 = __require("node:path"); ... L1023: this._outputConfiguration = { L1024: writeOut: (str) => process8.stdout.write(str), L1025: writeErr: (str) => process8.stderr.write(str), ... L1059: * @returns {Command[]} L1060: * @private L1061: */
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L48
dist/tree-sitter/tree-sitter-go.wasmView file
path = dist/tree-sitter/tree-sitter-go.wasm kind = wasm_module sizeBytes = 217182 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/tree-sitter/tree-sitter-go.wasmView on unpkg

Findings

2 Critical3 High4 Medium6 Low
CriticalRemote Asset Decode Executedist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
HighCross File Remote Execution Contextdist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduledist/tree-sitter/tree-sitter-go.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License