registry  /  @crouton-kit/crouter  /  0.3.40

@crouton-kit/crouter@0.3.40

crtr — agent runtime with memory, plugins, and marketplaces

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The risky primitives are explicit agent-runtime and web-UI features rather than automatic install-time behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User invokes crouter CLI commands such as crtr, crtr surface web serve, crtr sys update, or setup/bootstrap flows.
Impact
Can create crouter state, export generated host command files, start local services, clone the official marketplace, or update packages when configured or requested; no covert compromise behavior found.
Mechanism
User-invoked local agent runtime, web server, host export, git marketplace bootstrap, and optional self-update
Rationale
Source inspection shows the install hook is inert aside from a message, while scanner-flagged subprocess, network, and package-install behavior belongs to opt-in CLI/runtime features of an agent runtime. The package has broad capabilities, but I found no automatic exfiltration, persistence, destructive action, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonscripts/postinstall.mjsbin/crtrbin/crouterbin/crtrddist/cli.jsdist/core/auto-update.jsdist/core/bootstrap.jsdist/core/host-exports/export.jsdist/core/self-update.jsdist/clients/web/web-cmd.jsdist/clients/web/server.jsdist/core/hearth/providers/blaxel-home.js
Network endpoints1
github.com/crouton-labs/crouter-official-marketplace.git

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json has a postinstall hook and CLI runtime primitives for child_process, local HTTP/WebSocket, git, and npm update.
  • dist/core/host-exports/export.js can write generated host command files on explicit CLI runs when ~/.claude or ~/.pi/agent already exists.
  • dist/core/bootstrap.js can clone https://github.com/crouton-labs/crouter-official-marketplace.git during normal CLI bootstrap.
Evidence against
  • scripts/postinstall.mjs only skips CI or prints setup guidance; no install-time file writes, package installs, network calls, or agent config mutation.
  • bin/crtr, bin/crouter, and bin/crtrd are thin launchers to dist CLI/daemon entrypoints.
  • dist/core/auto-update.js defaults to notify, not apply; background npm install only occurs if user config sets auto_update.crtr to apply.
  • dist/clients/web/server.js binds loopback by default and requires a token for non-loopback command bridge/WebSocket access.
  • dist/core/self-update.js npm install and git update functions are user-invoked update features aligned with the package.
  • No credential harvesting, covert exfiltration, destructive install-time behavior, persistence, or reviewer/prompt manipulation found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 317 file(s), 3.98 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.exa.ai, claude.ai, dashboard.exa.ai, docs.expo.dev, github.com, mail.google.com, platform.claude.com, pure.md, react.dev, reactrouter.com, www.linkedin.com, www.w3.org
Oversized source lightweight scan
dist/clients/attach/attach-cmd.js7.19 MB file, sampled 256 KB
FilesystemChildProcessEnvironmentVarsDynamicRequireObfuscatedHighEntropyStringsMinifiedUrlStringsapi.anthropic.comdocs.expo.devgithub.complatform.claude.com

Source & flagged code

10 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/clients/web/web-cmd.jsView file
12// single leaf: `crtr surface web serve`. L13: import { spawn } from 'node:child_process'; L14: import { defineBranch, defineLeaf } from '../../core/command.js';
High
Child Process

Package source references child process execution.

dist/clients/web/web-cmd.jsView on unpkg · L12
dist/clients/attach/slash-commands.jsView file
362/** Open `cmd` as a fire-and-forget tmux display-popup (same geometry as the canvas L363: * extensions). tmux runs the trailing string through `sh -c`; the popup owns its L364: * screen and closes itself when the command exits, dropping back to this pane. */
High
Shell

Package source references shell execution.

dist/clients/attach/slash-commands.jsView on unpkg · L362
dist/clients/attach/config-load.jsView file
124const pcaEntry = import.meta.resolve('@earendil-works/pi-coding-agent'); L125: const piTuiPath = createRequire(pcaEntry).resolve('@earendil-works/pi-tui'); L126: return (await import(pathToFileURL(piTuiPath).href));
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/clients/attach/config-load.jsView on unpkg · L124
dist/builtin-pi-packages/pi-crtr-extensions/extensions/crouter-help.tsView file
1import type { ExtensionAPI } from "@earendil-works/pi-coding-agent"; L2: import { execFile } from "node:child_process"; L3: import { promisify } from "node:util"; ... L25: const h = createHash("sha1").update(cwd).digest("hex").slice(0, 16); L26: return join(homedir(), ".crouter", "cache", `crouter-help-${h}.json`); L27: } ... L38: try { L39: const c = JSON.parse(readFileSync(file, "utf8")) as { text?: string; at?: number }; L40: if (typeof c.text === "string" && c.text && typeof c.at === "number" && Date.now() - c.at < TTL_MS) { ... L49: try { L50: const { stdout } = await run("crouter", ["-h"], { timeout: 10_000 }); L51: helpText = stdout.trim();
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/builtin-pi-packages/pi-crtr-extensions/extensions/crouter-help.tsView on unpkg · L1
dist/core/self-update.jsView file
23export function selfUpdate() { L24: const res = spawnSync('npm', ['i', '-g', '@crouton-kit/crouter@latest'], { stdio: 'inherit' }); L25: if (res.status !== 0) { L26: throw general('npm install failed'); L27: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/core/self-update.jsView on unpkg · L23
dist/web-client/assets/martian-mono-latin-wght-normal-5W32yIyr.woff2View file
path = dist/web-client/assets/martian-mono-latin-wght-normal-5W32yIyr.woff2 kind = high_entropy_blob sizeBytes = 23556 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/web-client/assets/martian-mono-latin-wght-normal-5W32yIyr.woff2View on unpkg
dist/clients/attach/attach-cmd.jsView file
path = dist/clients/attach/attach-cmd.js kind = oversized_source_file sizeBytes = 7534182 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/clients/attach/attach-cmd.jsView on unpkg
dist/core/hearth/providers/blaxel-home.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @crouton-kit/crouter@0.3.39 matchedIdentity = npm:QGNyb3V0b24ta2l0L2Nyb3V0ZXI:0.3.39 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/core/hearth/providers/blaxel-home.jsView on unpkg

Findings

1 Critical6 High5 Medium7 Low
CriticalPrevious Version Dangerous Deltadist/core/hearth/providers/blaxel-home.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/clients/web/web-cmd.js
HighShelldist/clients/attach/slash-commands.js
HighRuntime Package Installdist/core/self-update.js
HighShips High Entropy Blobdist/web-client/assets/martian-mono-latin-wght-normal-5W32yIyr.woff2
HighOversized Source Filedist/clients/attach/attach-cmd.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/clients/attach/config-load.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/builtin-pi-packages/pi-crtr-extensions/extensions/crouter-help.ts
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings