registry  /  @customize-agent/tools  /  1.0.1

@customize-agent/tools@1.0.1

Agent 工具 — 文件操作、终端、Git、沙箱、语法验证

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A host application or agent explicitly invokes `ShellTools.runBackground`, `McpTools.mcpAdd`, or `McpTools.mcpTools`.
Impact
If an integrating agent passes untrusted input into these APIs, it can run local commands and persist command definitions under the customize-agent home directory; no automatic execution path was found.
Mechanism
Caller-controlled shell execution and first-party MCP command registration.
Rationale
Static inspection resolves this as a legitimate but high-privilege agent-tools library rather than malware. Its shell and MCP APIs are explicitly exported runtime features, with no lifecycle trigger, remote payload execution, credential access, foreign agent-surface mutation, or concealed loader. The residual risk is that an embedding agent could expose these user-controlled execution capabilities without adequate authorization controls.
Evidence
package.jsondist/index.jsdist/builtins/index.jsdist/builtins/shell-tools.jsdist/builtins/mcp-tools.jsdist/network-tools.jsdist/core/workspace-snapshot.jsdist/sandbox/sandbox-executor.js~/.customize-agent/mcp.json~/.customize-agent/plugins.json

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/builtins/shell-tools.js` exports `runBackground(command)`, which passes caller-supplied command text to `execaCommand` with `shell: true` and retains the child process in an in-memory background map.
  • `dist/builtins/mcp-tools.js` accepts a caller-supplied command in `mcpAdd`, writes it to `~/.customize-agent/mcp.json`, and `mcpTools` later starts the configured command through the MCP stdio transport.
  • `dist/builtins/shell-tools.js` writes plugin selections to `~/.customize-agent/plugins.json`; these are first-party application paths, but the capability is agent-facing and can configure future local command execution.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, `prepare`, or uninstall lifecycle script, so npm installation does not trigger the shell or MCP functions.
  • `dist/index.js` and `dist/builtins/index.js` only export tool classes; the inspected command, MCP, network, and filesystem actions require a host application to call their methods.
  • No `eval`, `Function`, `vm`, detached subprocess, encoded-payload loader, credential collection, persistence hook, or hardcoded remote command/payload source was found in the inspected `dist` sources.
  • `dist/network-tools.js` uses `duckduckgo.com` for explicit search requests and `registry.npmjs.org` for explicit version checks; its `webFetch` and `downloadFile` methods take a caller-provided URL and do not execute downloaded content.
  • The base64 use in `dist/core/workspace-snapshot.js` serializes and restores workspace snapshot bytes; it is not an inert embedded payload or decoder chain.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 39 file(s), 201 KB of source, external domains: duckduckgo.com, registry.npmjs.org

Source & flagged code

1 flagged · loading source
dist/builtins/shell-tools.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @customize-agent/tools@1.0.2 matchedIdentity = npm:QGN1c3RvbWl6ZS1hZ2VudC90b29scw:1.0.2 similarity = 0.795 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/builtins/shell-tools.jsView on unpkg

Findings

1 Critical2 Medium4 Low
CriticalPrevious Version Dangerous Deltadist/builtins/shell-tools.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings