registry  /  @dotobokuri/fleet-console  /  1.18.0

@dotobokuri/fleet-console@1.18.0

Fleet Console - standalone web surface for observing Fleet CLI workspaces, carrier jobs, live output streams, and terminals.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The main risk is guarded lifecycle startup of a package-owned local console daemon plus user-invoked agent skill installation. This is a dangerous local agent-console capability, but source inspection did not confirm malicious exfiltration or foreign control-surface hijack at install time.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
global interactive npm install, explicit fleet-console CLI use, or authenticated loopback console UI action
Impact
Local console can manage terminals/agent sessions and install skills when authorized by the local UI; install-time daemon startup is surprising but package-aligned and guarded.
Mechanism
postinstall auto-opens CLI; CLI spawns loopback daemon; console routes spawn shells/agent CLIs and skills CLI
Policy narrative
On a global interactive install, postinstall may invoke the Fleet Console CLI, which can start a detached loopback server and open a browser. Once running, authorized local console routes can spawn terminals/agent CLIs and install agent skills globally or per project via a bundled skills CLI bootstrap. The inspected code includes origin/host/token gates and validates route inputs; I did not find install-time writes to foreign AI-agent configs or credential exfiltration.
Rationale
The package has real agent/terminal execution and guarded install-time daemon startup, so it is not a trivial clean package. However, the behaviors are aligned with the advertised Fleet Console product and guarded by global-install/loopback/authorization checks, with no confirmed malicious exfiltration or unconsented foreign AI control-surface mutation.
Evidence
package.jsonpostinstall.mjsdist/cli.mjsdist/fleet-plugins/skills/routes.mjsdist/fleet-plugins/terminal/routes.mjs~/.fleet~/.agents/skills<theater>/.agents/skills
Network endpoints4
registry.npmjs.org/skills.shmcp.grep.appraw.githubusercontent.com/sbluemin/fleet-harness/main/CHANGELOG.md

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node postinstall.mjs
  • postinstall.mjs conditionally runs dist/cli.mjs on global interactive installs
  • dist/cli.mjs ensureDaemon spawns detached local server with [serverModulePath,"serve"]
  • dist/fleet-plugins/skills/routes.mjs can install/update skills under project/global agent skill scopes via console routes
  • dist/cli.mjs self-update worker can run global npm install for @dotobokuri/fleet-cli and @dotobokuri/fleet-console
Evidence against
  • postinstall is guarded to non-CI global installs with FLEET_CONSOLE_NO_AUTO_OPEN opt-out
  • server binds to 127.0.0.1 and uses Host/Origin/lock-token checks
  • terminal and skills routes require isTerminalAuthorized or lock authorization
  • skills install validates source/skill/agent/scope and is user-invoked through console routes
  • no credential harvesting or external exfiltration flow found in inspected files
  • network use is package-aligned update/search/MCP catalog behavior
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 61 file(s), 7.48 MB of source, external domains: 127.0.0.1, api.github.com, chevrotain.io, en.wikipedia.org, github.com, json-schema.org, langium.org, mcp.grep.app, raw.githubusercontent.com, react.dev, registry.npmjs.org, skills.sh, www.w3.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/client/assets/index-DWgndVkX.jsView file
157Please report this to https://github.com/markedjs/marked.`,e){let s="<p>An error occurred:</p><pre>"+ar(i.message+"",!0)+"</pre>";return n?Promise.resolve(s):s}if(n)return Promise.... L158: `+Jt),Ne&&Cl([W,I,Y],Qt=>{Jt=qa(Jt,Qt," ")}),k&&vn?k.createHTML(Jt):Jt},n.setConfig=function(){let De=arguments.length>0&&arguments[0]!==void 0?arguments[0]:{};ke(De),vt=!0},n.clea... L159: https://github.com/highlightjs/highlight.js/issues/2277`),Wt=be,ft=Me),Ie===void 0&&(Ie=!0);const zn={code:ft,language:Wt};Jt("before:highlight",zn);const hi=zn.result?zn.result:Rn...
High
Child Process

Package source references child process execution.

dist/client/assets/index-DWgndVkX.jsView on unpkg · L157
10L11: Please change the parent <Route path="${p}"> to <Route path="${p==="/"?"*":`${p}/*`}">.`)}let b=Ui(),m;if(n){let p=typeof n=="string"?_o(n):n;qt(h==="/"||p.pathname?.startsWith(h),... L12:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/client/assets/index-DWgndVkX.jsView on unpkg · L10
dist/fleet-plugins/terminal/routes.mjsView file
17538const child = isWindows() ? spawn( L17539: this.env.ComSpec ?? "cmd.exe", L17540: buildWindowsCmdArgs(this.command, this.args),
High
Shell

Package source references shell execution.

dist/fleet-plugins/terminal/routes.mjsView on unpkg · L17538
dist/fleet-plugins/skills/routes.mjsView file
2Cross-file remote execution chain: dist/fleet-plugins/skills/routes.mjs spawns dist/cli.mjs; helper contains network access plus dynamic code execution. L2: import path2 from 'path'; L3: import { execFile } from 'child_process'; L4: import fs3 from 'fs/promises'; ... L38: ZodArray: () => ZodArray, L39: ZodBase64: () => ZodBase64, L40: ZodBase64URL: () => ZodBase64URL, ... L1495: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1496: } : { success: true, data: result.value }; L1497: }; ... L2579: try { L2580: new URL(`http://[${payload.value}]`); L2581: } catch {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/fleet-plugins/skills/routes.mjsView on unpkg · L2
dist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2View file
path = dist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2 kind = high_entropy_blob sizeBytes = 33872 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2View on unpkg
dist/cli.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @dotobokuri/fleet-console@1.17.0 matchedIdentity = npm:[redacted]:1.17.0 similarity = 0.951 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.mjsView on unpkg

Findings

1 Critical5 High5 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/cli.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/client/assets/index-DWgndVkX.js
HighShelldist/fleet-plugins/terminal/routes.mjs
HighCross File Remote Execution Contextdist/fleet-plugins/skills/routes.mjs
HighShips High Entropy Blobdist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/client/assets/index-DWgndVkX.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License