registry  /  @castlemilk/omega  /  0.6.3

@castlemilk/omega@0.6.3

Omega Harness CLI - installable via npx

AI Security Review

scanned 3d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs harness UI/agent command and creates/runs an agent-tagged task
Impact
Dangerous dual-use project mutation/publishing if exposed to untrusted prompts or providers
Mechanism
LLM-controlled project file writes, command execution, git commit, optional publish
Policy narrative
The CLI is package-aligned as an Omega harness, but its bundled agent server lets model outputs call write_file and run_command against a user-selected project, then commits diffs and can publish if autoPublish is enabled. This is user-invoked rather than lifecycle malware, yet it is a real AI-agent control surface with high blast radius.
Rationale
Source inspection did not show credential theft, exfiltration, persistence, or install-time execution. The confirmed risk is dangerous user-invoked autonomous agent capability, so warn rather than block.
Evidence
package.jsondist/cli.jsdist/server/dist/lib/run-task.jsdist/server/node_modules/@omega/agent/dist/tools.jsdist/server/node_modules/@omega/agent/dist/executor.jsdist/server/node_modules/@omega/agent/dist/publisher.jsprojectPath files via write_filepackages/bundle/package.json
Network endpoints2
localhost:4000localhost:50051

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/server/node_modules/@omega/agent/dist/tools.js exposes LLM tools read_file/write_file/run_command in projectPath
  • dist/server/node_modules/@omega/agent/dist/executor.js runs agent tasks when tags include agent/self-improve
  • dist/server/node_modules/@omega/agent/dist/publisher.js can pnpm publish and git tag/push when autoPublish passes
  • dist/cli.js ui command starts bundled server and auto-adds current cwd as project
Evidence against
  • package.json has only prepublishOnly; no install-time hook
  • dist/cli.js network defaults are localhost HTTP/gRPC or user --api/env overrides
  • dist/cli.js child_process starts bundled server or dev server from explicit ui command
  • tools.js blocks path traversal and some destructive shell patterns
  • Provider API keys are user-entered config, not harvested from env/files
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 38 file(s), 560 KB of source, external domains: reactjs.org, www.w3.org

Source & flagged code

4 flagged · loading source
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @castlemilk/omega@0.2.0 matchedIdentity = npm:QGNhc3RsZW1pbGsvb21lZ2E:0.2.0 similarity = 0.895 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli.jsView on unpkg
441import { Command as Command4 } from "commander"; L442: import { spawn } from "child_process"; L443: import { existsSync as existsSync2 } from "fs";
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L441
550stdio: "inherit", L551: shell: true, L552: env
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L550
540const grpcPort = await findAvailablePort(DEFAULT_GRPC_PORT, MAX_GRPC_PORT); L541: apiUrl = `http://localhost:${port.toString()}`; L542: process.env.HARNESS_API_URL = apiUrl; L543: const env = { ... L548: }; L549: server = startBundledServer(env) ?? spawn("pnpm", ["--filter", "@omega/server", "dev"], { L550: stdio: "inherit",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L540

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/cli.js
HighShelldist/cli.js
HighSame File Env Network Executiondist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings