registry  /  @controlvector/cv-agent  /  1.12.0

@controlvector/cv-agent@1.12.0

Standalone agent daemon for CV-Hub — bridges Claude Code with CV-Hub task dispatch

AI Security Review

scanned 2h ago · by lpm-firewall-ai

An authenticated user who runs `cva agent --auto-approve` starts a daemon that accepts CV-Hub-dispatched tasks. Those tasks can direct a fully tool-approved Claude Code subprocess; self-update tasks also reach shell commands with insufficient input validation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `cva agent`, especially `--auto-approve`, after configuring CV-Hub credentials.
Impact
A compromised or malicious CV-Hub task source can cause arbitrary local actions in the selected working directory; crafted self-update descriptions can inject shell commands.
Mechanism
Remote task dispatch to an auto-approved coding agent plus task-controlled shell-based self-update.
Rationale
The package is not malicious at install time, but it exposes a high-risk remote execution capability and an unvalidated task-to-shell self-update path. Its package-aligned network use and explicit user activation support a warning rather than a block.
Evidence
package.jsondist/index.jsdist/commands/agent.jsdist/commands/setup.jsdist/utils/api.jsdist/utils/credentials.js~/.config/cv-hub/credentials~/.config/controlvector/credentials.json<working-dir>/CLAUDE.md<working-dir>/.gitignore
Network endpoints1
api.hub.controlvector.io

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/commands/agent.js` polls CV-Hub tasks then spawns `claude` with task-controlled prompts.
  • `--auto-approve` permits `Bash(*)`, file writes, and web tools for dispatched tasks.
  • Self-update interpolates task descriptions into shell `npm install` or `cd ... &&` commands.
  • The agent streams Claude output and update output back to CV-Hub task-event APIs.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook; `prepublishOnly` is publish-time only.
  • Network use targets configured/default CV-Hub API endpoints and supports the stated task-dispatch product.
  • Credential files are stored mode `0600`; prompts explicitly prohibit committing local secrets.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 24 file(s), 1.08 MB of source, external domains: api.hub.controlvector.io, claude.ai, git-scm.com, hub.controlvector.io, json-schema.org, nodejs.org

Source & flagged code

5 flagged · loading source
dist/utils/git-credentials.jsView file
26exports.mintGitPat = mintGitPat; L27: const node_child_process_1 = require("node:child_process"); L28: /** Credentials-file field that holds the git-capable cv_pat. */
High
Child Process

Package source references child process execution.

dist/utils/git-credentials.jsView on unpkg · L26
dist/commands/setup.jsView file
17const commander_1 = require("commander"); L18: const node_child_process_1 = require("node:child_process"); L19: const node_fs_1 = require("node:fs"); ... L31: try { L32: const data = JSON.parse((0, node_fs_1.readFileSync)(SHARED_CRED_PATH, 'utf-8')); L33: if (data.token && data.hub_url) ... L48: const timeout = setTimeout(() => controller.abort(), 10_000); L49: const res = await fetch(`${hubUrl}/api/auth/me`, { L50: headers: { Authorization: `Bearer ${token}` }, ... L74: headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, L75: body: new URLSearchParams({ L76: client_id: DEVICE_CLIENT_ID,
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/commands/setup.jsView on unpkg · L17
dist/bundle.cjsView file
4062Trigger-reachable chain: manifest.bin -> dist/bundle.cjs L4062: } else if (tokenData.error === "expired_token") { L4063: process.stdout.write("\r" + " ".repeat(60) + "\r"); L4064: throw new Error("Authorization expired"); ... L4070: try { L4071: return (0, import_node_child_process2.execSync)(`${cmd} 2>&1`, { encoding: "utf8", timeout: 5e3 }).trim().split("\n")[0]; L4072: } catch { ... L4076: async function runSetup() { L4077: const hubUrl = "https://api.hub.controlvector.io"; L4078: const appUrl = "https://hub.controlvector.io";
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/bundle.cjsView on unpkg · L4062
41Cross-file remote execution chain: dist/bundle.cjs spawns dist/commands/agent.js; helper contains network access plus dynamic code execution. L41: * Constructs the CommanderError class L42: * @param {number} exitCode suggested exit code which could be used with process.exit L43: * @param {string} code an id string representing the error ... L967: var EventEmitter = require("node:events").EventEmitter; L968: var childProcess = require("node:child_process"); L969: var path3 = require("node:path"); ... L1016: this._outputConfiguration = { L1017: writeOut: (str) => process4.stdout.write(str), L1018: writeErr: (str) => process4.stderr.write(str), ... L1052: * @returns {Command[]} L1053: * @private L1054: */
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bundle.cjsView on unpkg · L41
23107const pkg = source === "npm" ? "@controlvector/cv-agent@latest" : source.replace("npm:", ""); L23108: output = (0, import_node_child_process6.execSync)(`npm install -g ${pkg} 2>&1`, { encoding: "utf8", timeout: 12e4 }); L23109: } else if (source.startsWith("git:")) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/bundle.cjsView on unpkg · L23107

Findings

2 Critical3 High3 Medium5 Low
CriticalCommand Output Exfiltrationdist/commands/setup.js
CriticalTrigger Reachable Dangerous Capabilitydist/bundle.cjs
HighChild Processdist/utils/git-credentials.js
HighCross File Remote Execution Contextdist/bundle.cjs
HighRuntime Package Installdist/bundle.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings