registry  /  @buildautomaton/cli  /  0.1.74

@buildautomaton/cli@0.1.74

CLI for BuildAutomaton: ACP client, WebSocket bridge to backend, and skills (e.g. preview)

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a user-started authenticated bridge with intentional local-agent, preview, and localhost-proxy capabilities; the scanner's claimed remote decode-and-execute path is not present.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User executes the `buildautomaton`/`ba` CLI and connects it to a configured BuildAutomaton workspace.
Impact
An authorized backend can invoke the documented bridge capabilities, but no install-time execution, remote payload execution, credential exfiltration, or foreign agent-control persistence was found.
Mechanism
Authenticated WebSocket bridge forwarding opted-in backend actions to local agents and localhost services.
Rationale
Direct source inspection does not support the scanner's remote-asset decode-and-execute claim. The remaining network, subprocess, token, and filesystem behavior is documented CLI functionality activated only after explicit user execution and authentication.
Evidence
package.jsonREADME.mddist/cli.jsdist/index.jsdist/bridge-mcp-server.js~/.buildautomaton/config.json
Network endpoints4
api.buildautomaton.combuildautomaton-firehose.fly.devapp.buildautomaton.com127.0.0.1:${port}${path82}

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/cli.js` runs an authenticated WebSocket bridge that can forward backend prompts to opted-in local ACP agents.
  • `dist/index.js` can start a preview command and run localhost-only proxy requests after the user starts the CLI.
  • `dist/index.js` stores bridge credentials in `~/.buildautomaton/config.json`.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • No package-owned `eval(` or `new Function` remote-payload execution path was found.
  • `atob` use in `dist/index.js` is JWT/E2EE decoding; fetched cloud responses are parsed as JSON or blobs, not executed.
  • `dist/index.js` restricts backend proxy targets to `localhost`, `127.0.0.1`, and `::1`.
  • `dist/index.js` writes only package-owned config/cache/worktree data; no foreign AI-agent configuration mutation was found.
  • `README.md` documents the bridge, local-agent, localhost-proxy, and preview features consistent with the source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
NoLicense
scanned 5 file(s), 3.86 MB of source, external domains: 127.0.0.1, api.buildautomaton.com, app.buildautomaton.com, buildautomaton-firehose.fly.dev, cursor.com, developer.mozilla.org, git-scm.com, github.com, json-schema.org, kiro.dev, stackoverflow.com

Source & flagged code

6 flagged · loading source
dist/index.jsView file
55kStatusCode: Symbol("status-code"), L56: kWebSocket: Symbol("websocket"), L57: NOOP: () => { ... L108: } else { L109: buf = Buffer.from(data); L110: toBuffer.readOnly = false; ... L120: }; L121: if (!process.env.WS_NO_BUFFER_UTIL) { L122: try { ... L172: * L173: * @private L174: */
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/index.jsView on unpkg · L55
Trigger-reachable chain: manifest.main -> dist/index.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg
3692"use strict"; L3693: var childProcess2 = __require("child_process"); L3694: var spawn11 = childProcess2.spawn;
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L3692
30731})(); L30732: var powerShellPathFromWsl = async () => { L30733: const mountPoint = await wslDrivesMountPoint();
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L30731
dist/cli.jsView file
48Cross-file remote execution chain: dist/cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L48: * Constructs the CommanderError class L49: * @param {number} exitCode suggested exit code which could be used with process.exit L50: * @param {string} code an id string representing the error ... L974: var EventEmitter2 = __require("node:events").EventEmitter; L975: var childProcess2 = __require("node:child_process"); L976: var path84 = __require("node:path"); ... L1023: this._outputConfiguration = { L1024: writeOut: (str) => process8.stdout.write(str), L1025: writeErr: (str) => process8.stderr.write(str), ... L1059: * @returns {Command[]} L1060: * @private L1061: */
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L48
dist/tree-sitter/tree-sitter-go.wasmView file
path = dist/tree-sitter/tree-sitter-go.wasm kind = wasm_module sizeBytes = 217182 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/tree-sitter/tree-sitter-go.wasmView on unpkg

Findings

2 Critical3 High4 Medium6 Low
CriticalRemote Asset Decode Executedist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
HighCross File Remote Execution Contextdist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduledist/tree-sitter/tree-sitter-go.wasm
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License