registry  /  @castlemilk/omega  /  0.1.8

@castlemilk/omega@0.1.8

Omega Harness CLI - installable via npx

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No malicious install-time behavior was found, but the user-started local server exposes configured provider records including API keys through a CORS-enabled endpoint. This is a real local credential exposure risk rather than confirmed malware.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the harness UI/server or configures providers through the local API.
Impact
A web page or local client able to reach the harness server could read configured provider API keys.
Mechanism
CORS-enabled local API returns provider config secrets
Rationale
Source inspection shows package-aligned CLI/server functionality with no install-time execution or concrete malicious chain. However, unrestricted CORS plus secret-bearing /providers responses creates an unresolved credential exposure risk worth warning on.
Evidence
package.jsondist/cli.jsdist/server.jspackages/skills/src/generated/*.tspackages/skills/src/generated/index.ts
Network endpoints7
localhost:4000localhost:11434api.openai.com/v1api.anthropic.com/v1generativelanguage.googleapis.com/v1betaapi.moonshot.ai/v1api.moonshot.cn/v1

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • dist/server.js uses app.use(cors()) with no origin restriction.
  • dist/server.js GET /providers returns providerConfigs, which can include apiKey from POST /providers or process.env.KIMI_API_KEY.
  • dist/cli.js ui command can spawn bundled dist/server.js and open the local web UI.
  • dist/cli.js skill generate writes generated adapter files to OMEGA_HARNESS_ROOT or inferred packages/skills/src.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • dist/cli.js child_process use is user-invoked for starting the bundled/local harness server, not install-time execution.
  • Network endpoints are package-aligned local harness and configured LLM provider APIs.
  • No evidence of credential harvesting from files, stealth persistence, destructive behavior, or remote payload loading.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 369 KB of source, external domains: api.anthropic.com, api.moonshot.ai, api.moonshot.cn, api.openai.com, generativelanguage.googleapis.com, reactjs.org, www.w3.org

Source & flagged code

4 flagged · loading source
dist/cli.jsView file
77import { Command as Command3 } from "commander"; L78: import { spawn } from "child_process"; L79: import { existsSync } from "fs";
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L77
332stdio: "inherit", L333: shell: true L334: });
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L332
77import { Command as Command3 } from "commander"; L78: import { spawn } from "child_process"; L79: import { existsSync } from "fs"; ... L89: import { jsx, jsxs } from "react/jsx-runtime"; L90: var API = process.env.HARNESS_API_URL || "http://localhost:4000"; L91: function formatTime(d) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L77
matchType = previous_version_dangerous_delta matchedPackage = @castlemilk/omega@0.6.4 matchedIdentity = npm:QGNhc3RsZW1pbGsvb21lZ2E:0.6.4 similarity = 0.889 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg

Findings

4 High2 Medium4 Low
HighChild Processdist/cli.js
HighShelldist/cli.js
HighSame File Env Network Executiondist/cli.js
HighPrevious Version Dangerous Deltadist/cli.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings