registry  /  @dotobokuri/fleet-console  /  1.16.1

@dotobokuri/fleet-console@1.16.1

Fleet Console - standalone web surface for observing Fleet CLI workspaces, carrier jobs, live output streams, and terminals.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a loopback Fleet Console with terminal, git diff, plugin, and update features that explain the scanner signals.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs fleet-console, starts the local console, uses terminal/diff/update/plugin features, or globally installs interactively.
Impact
Expected local console behavior; no evidence of unconsented exfiltration, persistence, destructive install behavior, or AI-agent control hijack.
Mechanism
package-aligned local console runtime with guarded child_process, loopback HTTP, PTY, git, and updater operations
Rationale
Static inspection found risky primitives, but they are consistent with a standalone loopback terminal/agent console and are gated by install context, Host/Origin/lock-token checks, explicit user routes, or local plugin trust boundaries. I found no install-time payload download, credential harvesting, external exfiltration path, destructive action, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonpostinstall.mjsdist/cli.mjsdist/fleet-plugins/diff/routes.mjsdist/fleet-plugins/terminal/routes.mjspostinstall.mjs may chmod package-local node_modules/node-pty/prebuilds/darwin-*/spawn-helperdist/cli.mjs writes console state/settings/captures/plugin storage under the Fleet console data directory when rundist/cli.mjs can write temporary self-update worker/status/log files during explicit update apply
Network endpoints7
registry.npmjs.org/raw.githubusercontent.com/sbluemin/fleet-harness/main/CHANGELOG.mdapi.github.commcp.grep.appapi.z.ai/api/anthropicapi.kimi.com/coding/open.bigmodel.cn/api/anthropic

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall lifecycle script
  • postinstall.mjs can chmod node-pty darwin spawn-helper files and may spawn dist/cli.mjs only for global interactive installs
  • dist/cli.mjs contains local console server, terminal PTY, plugin loading, self-update worker, and child_process use
  • dist/fleet-plugins/diff/routes.mjs exposes git diff routes that spawn git
Evidence against
  • postinstall.mjs is bounded to node-pty helper permissions and skips auto-open unless global install, non-CI, display available, and not opted out
  • dist/cli.mjs binds default server to 127.0.0.1 and validates Host/Origin/lock token on sensitive routes
  • self-update flow installs only @dotobokuri/fleet-cli and @dotobokuri/fleet-console after explicit /api/v1/updates/apply, with forbidden body version/package override keys
  • diff plugin validates git refs with isSafeGitRef, uses shell:false, and checks theater path containment including realpath for untracked files
  • external plugin discovery is package-aligned local extension behavior under ~/.fleet/plugins with manifest path containment and API version gating
  • Network calls are update/release/provider endpoints aligned with a Fleet Console terminal/AI-agent GUI, not credential exfiltration
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 60 file(s), 6.89 MB of source, external domains: 127.0.0.1, api.github.com, api.kimi.com, api.z.ai, chevrotain.io, en.wikipedia.org, github.com, json-schema.org, langium.org, mcp.grep.app, open.bigmodel.cn, raw.githubusercontent.com, react.dev, registry.npmjs.org, www.w3.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/client/assets/index-D3a51i1X.jsView file
155Please report this to https://github.com/markedjs/marked.`,e){let a="<p>An error occurred:</p><pre>"+sr(r.message+"",!0)+"</pre>";return n?Promise.resolve(a):a}if(n)return Promise.... L156: `+Jt),je&&bl([G,B,X],Qt=>{Jt=Ga(Jt,Qt," ")}),k&&vn?k.createHTML(Jt):Jt},n.setConfig=function(){let Ne=arguments.length>0&&arguments[0]!==void 0?arguments[0]:{};ke(Ne),vt=!0},n.clea... L157: https://github.com/highlightjs/highlight.js/issues/2277`),Wt=be,ft=Me),De===void 0&&(De=!0);const zn={code:ft,language:Wt};Jt("before:highlight",zn);const ci=zn.result?zn.result:Rn...
High
Child Process

Package source references child process execution.

dist/client/assets/index-D3a51i1X.jsView on unpkg · L155
10L11: Please change the parent <Route path="${f}"> to <Route path="${f==="/"?"*":`${f}/*`}">.`)}let y=$i(),m;if(n){let f=typeof n=="string"?ho(n):n;qt(u==="/"||f.pathname?.startsWith(u),... L12:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/client/assets/index-D3a51i1X.jsView on unpkg · L10
dist/fleet-plugins/terminal/routes.mjsView file
17477const child = isWindows() ? spawn( L17478: this.env.ComSpec ?? "cmd.exe", L17479: buildWindowsCmdArgs(this.command, this.args),
High
Shell

Package source references shell execution.

dist/fleet-plugins/terminal/routes.mjsView on unpkg · L17477
dist/cli.mjsView file
1Cross-file remote execution chain: dist/cli.mjs spawns dist/fleet-plugins/terminal/routes.mjs; helper contains network access plus dynamic code execution. L1: #!/usr/bin/env node L2: import { spawn, execFileSync, execFile, execSync } from 'child_process'; L3: import * as fs11 from 'fs'; ... L14: import crypto5, { createHash, randomUUID } from 'crypto'; L15: import http2 from 'http'; L16: import { builtinModules, createRequire } from 'module'; ... L62: if (!res.ok) return { healthy: false, lock, error: `health failed: ${res.status}` }; L63: return { healthy: true, lock, health: await res.json() }; L64: } catch (err) { ... L134: function resolveColorEnabled(options = {}) { L135: const env = options.env ?? process.env; L136: const isTTY = options.isTTY ?? process.stdout.isTTY;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.mjsView on unpkg · L1
dist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2View file
path = dist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2 kind = high_entropy_blob sizeBytes = 33872 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2View on unpkg
dist/fleet-plugins/diff/routes.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @dotobokuri/fleet-console@1.17.0 matchedIdentity = npm:[redacted]:1.17.0 similarity = 0.967 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/fleet-plugins/diff/routes.mjsView on unpkg

Findings

1 Critical5 High5 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/fleet-plugins/diff/routes.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/client/assets/index-D3a51i1X.js
HighShelldist/fleet-plugins/terminal/routes.mjs
HighCross File Remote Execution Contextdist/cli.mjs
HighShips High Entropy Blobdist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/client/assets/index-D3a51i1X.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License