registry  /  @dotobokuri/fleet-console  /  1.17.0

@dotobokuri/fleet-console@1.17.0

Fleet Console - standalone web surface for observing Fleet CLI workspaces, carrier jobs, live output streams, and terminals.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Risky primitives are aligned with a local Fleet Console product: loopback HTTP UI, terminal/session management, git/file viewers, plugin loading, and opt-in updates.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User installs globally or starts/uses fleet-console local web UI.
Impact
Can spawn shells/agent CLIs, read selected Theater files, install skills, and update global packages when explicitly used; no evidence of unconsented abuse.
Mechanism
User-invoked local console operations with origin/loopback gates.
Rationale
Static inspection found sensitive primitives, but they are exposed as authenticated loopback console functionality and guarded by origin/host/path validation rather than hidden install-time behavior. The postinstall auto-open is limited to global interactive installs and does not fetch or mutate agent control surfaces beyond chmod of node-pty helpers.
Evidence
package.jsonpostinstall.mjsdist/cli.mjsdist/fleet-plugins/diff/routes.mjsdist/fleet-plugins/file-explorer/routes.mjsdist/fleet-plugins/skills/routes.mjsdist/fleet-plugins/terminal/routes.mjs
Network endpoints8
registry.npmjs.org/raw.githubusercontent.com/sbluemin/fleet-harness/main/CHANGELOG.mdskills.shapi.github.commcp.grep.appapi.z.ai/api/anthropicapi.kimi.com/coding/open.bigmodel.cn/api/anthropic

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json defines postinstall hook.
  • postinstall.mjs may run dist/cli.mjs only for global, non-CI installs with display.
  • dist/fleet-plugins/skills/routes.mjs can npm-install/run skills@1.5.14 after authorized local route calls.
  • dist/fleet-plugins/terminal/routes.mjs spawns shells/agent CLIs for console terminal sessions.
  • dist/cli.mjs fetches npm registry/GitHub release data for update checks.
Evidence against
  • postinstall.mjs has no network code and skips dependency/CI installs unless global auto-open conditions match.
  • Server binds/validates loopback host/origin and terminal routes require isTerminalAuthorized.
  • diff/file routes use realpath containment; git is spawned with shell:false and path args are guarded with --.
  • Skills install inputs are allowlisted and invoked only through authorized console routes.
  • No credential harvesting/exfiltration, destructive lifecycle behavior, or hidden payload download found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 61 file(s), 7.55 MB of source, external domains: 127.0.0.1, api.github.com, api.kimi.com, api.z.ai, chevrotain.io, en.wikipedia.org, github.com, json-schema.org, langium.org, mcp.grep.app, open.bigmodel.cn, raw.githubusercontent.com, react.dev, registry.npmjs.org, skills.sh, www.w3.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/client/assets/index-BY_CeGCl.jsView file
155Please report this to https://github.com/markedjs/marked.`,e){let s="<p>An error occurred:</p><pre>"+ar(i.message+"",!0)+"</pre>";return n?Promise.resolve(s):s}if(n)return Promise.... L156: `+Jt),Le&&El([W,I,Z],Qt=>{Jt=Va(Jt,Qt," ")}),k&&vn?k.createHTML(Jt):Jt},n.setConfig=function(){let De=arguments.length>0&&arguments[0]!==void 0?arguments[0]:{};ke(De),ut=!0},n.clea... L157: https://github.com/highlightjs/highlight.js/issues/2277`),Wt=be,pt=Ne),Ie===void 0&&(Ie=!0);const zn={code:pt,language:Wt};Jt("before:highlight",zn);const hi=zn.result?zn.result:Rn...
High
Child Process

Package source references child process execution.

dist/client/assets/index-BY_CeGCl.jsView on unpkg · L155
10L11: Please change the parent <Route path="${g}"> to <Route path="${g==="/"?"*":`${g}/*`}">.`)}let y=Ui(),p;if(n){let g=typeof n=="string"?vo(n):n;qt(h==="/"||g.pathname?.startsWith(h),... L12:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/client/assets/index-BY_CeGCl.jsView on unpkg · L10
dist/fleet-plugins/terminal/routes.mjsView file
17501const child = isWindows() ? spawn( L17502: this.env.ComSpec ?? "cmd.exe", L17503: buildWindowsCmdArgs(this.command, this.args),
High
Shell

Package source references shell execution.

dist/fleet-plugins/terminal/routes.mjsView on unpkg · L17501
dist/fleet-plugins/skills/routes.mjsView file
2Cross-file remote execution chain: dist/fleet-plugins/skills/routes.mjs spawns dist/cli.mjs; helper contains network access plus dynamic code execution. L2: import path2 from 'path'; L3: import { execFile } from 'child_process'; L4: import fs3 from 'fs/promises'; ... L38: ZodArray: () => ZodArray, L39: ZodBase64: () => ZodBase64, L40: ZodBase64URL: () => ZodBase64URL, ... L1495: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1496: } : { success: true, data: result.value }; L1497: }; ... L2579: try { L2580: new URL(`http://[${payload.value}]`); L2581: } catch {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/fleet-plugins/skills/routes.mjsView on unpkg · L2
dist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2View file
path = dist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2 kind = high_entropy_blob sizeBytes = 33872 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2View on unpkg
dist/fleet-plugins/diff/routes.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @dotobokuri/fleet-console@1.16.0 matchedIdentity = npm:[redacted]:1.16.0 similarity = 0.967 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/fleet-plugins/diff/routes.mjsView on unpkg

Findings

1 Critical5 High5 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/fleet-plugins/diff/routes.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/client/assets/index-BY_CeGCl.js
HighShelldist/fleet-plugins/terminal/routes.mjs
HighCross File Remote Execution Contextdist/fleet-plugins/skills/routes.mjs
HighShips High Entropy Blobdist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/client/assets/index-BY_CeGCl.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License