registry  /  @castlemilk/omega  /  0.6.4

@castlemilk/omega@0.6.4

Omega Harness CLI - installable via npx

AI Security Review

scanned 3d ago · by lpm-firewall-ai

The package ships a local AI agent harness with file-write, command execution, git, and publish capabilities. This is high-risk but user-invoked and package-aligned rather than confirmed malicious install/import behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs harness/omega-harness ui, creates or runs agent-tagged tasks, or enables auto-publish
Impact
Can modify project files, execute allowed commands, commit changes, and optionally publish if configured and validation passes
Mechanism
LLM-directed local agent tools and unauthenticated local HTTP/gRPC task APIs
Attack narrative
A user who starts the harness server and configures providers can submit agent tasks that cause the bundled agent to read/write files and run commands inside configured project paths. The gRPC server listens on 0.0.0.0 and the HTTP routes lack visible auth, so deployments beyond trusted localhost increase risk, but the behavior is visible harness functionality and not activated during package install or import.
Rationale
Static inspection confirms dangerous agent capabilities, but they are explicit CLI/server features activated by user tasks and provider configuration, with no hidden lifecycle execution or concrete exfiltration. Treat as a warning-level dangerous capability rather than malicious package behavior.
Evidence
package.jsondist/cli.jsdist/server/dist/grpc.jsdist/server/dist/routes/projects.jsdist/server/dist/lib/run-task.jsdist/server/node_modules/@omega/agent/dist/tools.jsdist/server/node_modules/@omega/agent/dist/publisher.jsdist/server/node_modules/@omega/agent/dist/executor.jsuser-configured projectPath filespackages/bundle/package.json
Network endpoints7
localhost:4000localhost:500510.0.0.0:50051api.openai.com/v1api.kimi.com/coding/v1generativelanguage.googleapis.com/v1betalocalhost:11434

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/server/node_modules/@omega/agent/dist/tools.js exposes LLM-driven read_file/write_file/run_command on projectPath
  • dist/server/node_modules/@omega/agent/dist/publisher.js can pnpm install/build/publish and git push when autoPublish is enabled
  • dist/server/dist/grpc.js binds insecure gRPC on 0.0.0.0 and can auto_run submitted tasks
  • dist/server/dist/routes/projects.js accepts arbitrary project paths via HTTP API
Evidence against
  • package.json has only prepublishOnly; no install/postinstall runtime hook
  • dist/cli.js child_process use starts bundled local server only from user-invoked ui command
  • network defaults are localhost harness endpoints and configured provider APIs
  • agent capability is explicit product functionality, not hidden import/install behavior
  • no credential harvesting, persistence, destructive lifecycle action, or hardcoded exfiltration endpoint found
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 38 file(s), 560 KB of source, external domains: reactjs.org, www.w3.org

Source & flagged code

4 flagged · loading source
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @castlemilk/omega@0.5.0 matchedIdentity = npm:QGNhc3RsZW1pbGsvb21lZ2E:0.5.0 similarity = 0.895 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/cli.jsView on unpkg
441import { Command as Command4 } from "commander"; L442: import { spawn } from "child_process"; L443: import { existsSync as existsSync2 } from "fs";
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L441
550stdio: "inherit", L551: shell: true, L552: env
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L550
540const grpcPort = await findAvailablePort(DEFAULT_GRPC_PORT, MAX_GRPC_PORT); L541: apiUrl = `http://localhost:${port.toString()}`; L542: process.env.HARNESS_API_URL = apiUrl; L543: const env = { ... L548: }; L549: server = startBundledServer(env) ?? spawn("pnpm", ["--filter", "@omega/server", "dev"], { L550: stdio: "inherit",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L540

Findings

1 Critical3 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/cli.js
HighShelldist/cli.js
HighSame File Env Network Executiondist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings