registry  /  @dotobokuri/fleet-console  /  1.19.0

@dotobokuri/fleet-console@1.19.0

Fleet Console - standalone web surface for observing Fleet CLI workspaces, carrier jobs, live output streams, and terminals.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was established. The main residual risk is an explicit Fleet Console agent-launch path that writes first-party Codex profile/hooks and plugin registration for Fleet integration.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
global npm install auto-open or user starts Fleet Console and launches agent/skills actions
Impact
May modify Fleet/Codex local integration state when the user invokes console agent features; no unconsented broad install-time hijack or exfiltration found.
Mechanism
guarded local console, terminal spawning, first-party agent profile/plugin setup
Rationale
Source inspection shows suspicious but package-aligned lifecycle and agent-extension capabilities gated by global install or authorized local console actions. The scanner’s execution/network findings map to terminal, update, skills, and git features rather than a concrete malicious chain.
Evidence
package.jsonpostinstall.mjsdist/cli.mjsdist/fleet-plugins/terminal/routes.mjsdist/fleet-plugins/skills/routes.mjsdist/fleet-plugins/diff/routes.mjsdist/fleet-plugins/file-explorer/routes.mjs
Network endpoints2
registry.npmjs.org/skills.sh

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall running postinstall.mjs.
  • postinstall.mjs can spawn dist/cli.mjs only for global, non-CI installs with display.
  • dist/fleet-plugins/terminal/routes.mjs writes CODEX_HOME fleet.config.toml with hooks/plugins during agent launch.
  • dist/fleet-plugins/skills/routes.mjs bootstraps skills@1.5.14 via npm and can install skills through authorized routes.
Evidence against
  • postinstall.mjs otherwise only chmods node-pty darwin spawn-helper and has CI/opt-out/global/display guards.
  • dist/cli.mjs main only runs when invoked directly; imports do not auto-start server.
  • Network seen is package-aligned: npm registry version/update checks and skills.sh search.
  • Terminal, diff, file, and skills routes check isTerminalAuthorized before sensitive actions.
  • Diff/file routes use shell:false, -- path separators, ref SHA validation, and realpath containment checks.
  • No credential harvesting or exfiltration flow found in inspected source.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 61 file(s), 7.51 MB of source, external domains: 127.0.0.1, api.github.com, chevrotain.io, en.wikipedia.org, github.com, img.shields.io, json-schema.org, langium.org, mcp.grep.app, raw.githubusercontent.com, react.dev, registry.npmjs.org, skills.sh, www.w3.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/client/assets/index-vgEn_EkG.jsView file
157Please report this to https://github.com/markedjs/marked.`,e){let s="<p>An error occurred:</p><pre>"+ar(i.message+"",!0)+"</pre>";return t?Promise.resolve(s):s}if(t)return Promise.... L158: `+Jt),Me&&kl([W,I,X],Qt=>{Jt=Ka(Jt,Qt," ")}),k&&vn?k.createHTML(Jt):Jt},t.setConfig=function(){let De=arguments.length>0&&arguments[0]!==void 0?arguments[0]:{};ke(De),ht=!0},t.clea... L159: https://github.com/highlightjs/highlight.js/issues/2277`),Wt=be,ft=Ne),Ie===void 0&&(Ie=!0);const zn={code:ft,language:Wt};Jt("before:highlight",zn);const hi=zn.result?zn.result:Rn...
High
Child Process

Package source references child process execution.

dist/client/assets/index-vgEn_EkG.jsView on unpkg · L157
10L11: Please change the parent <Route path="${m}"> to <Route path="${m==="/"?"*":`${m}/*`}">.`)}let v=Ui(),g;if(t){let m=typeof t=="string"?bo(t):t;qt(h==="/"||m.pathname?.startsWith(h),... L12:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/client/assets/index-vgEn_EkG.jsView on unpkg · L10
dist/fleet-plugins/terminal/routes.mjsView file
17444return { L17445: bin: env.ComSpec ?? "cmd.exe", L17446: prefixArgs: ["/d", "/s", "/c", "call", forceWindowsArgQuoting(resolved)]
High
Shell

Package source references shell execution.

dist/fleet-plugins/terminal/routes.mjsView on unpkg · L17444
dist/fleet-plugins/skills/routes.mjsView file
2Cross-file remote execution chain: dist/fleet-plugins/skills/routes.mjs spawns dist/cli.mjs; helper contains network access plus dynamic code execution. L2: import path from 'path'; L3: import { execFile } from 'child_process'; L4: import fs3 from 'fs/promises'; ... L38: ZodArray: () => ZodArray, L39: ZodBase64: () => ZodBase64, L40: ZodBase64URL: () => ZodBase64URL, ... L1495: error: new (_Err ?? $ZodError)(result.issues.map((iss) => finalizeIssue(iss, ctx, config()))) L1496: } : { success: true, data: result.value }; L1497: }; ... L2579: try { L2580: new URL(`http://[${payload.value}]`); L2581: } catch {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/fleet-plugins/skills/routes.mjsView on unpkg · L2
dist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2View file
path = dist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2 kind = high_entropy_blob sizeBytes = 33872 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2View on unpkg
dist/cli.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @dotobokuri/fleet-console@1.18.0 matchedIdentity = npm:[redacted]:1.18.0 similarity = 0.934 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.mjsView on unpkg

Findings

1 Critical5 High5 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/cli.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/client/assets/index-vgEn_EkG.js
HighShelldist/fleet-plugins/terminal/routes.mjs
HighCross File Remote Execution Contextdist/fleet-plugins/skills/routes.mjs
HighShips High Entropy Blobdist/client/assets/cascadia-code-latin-ext-wght-normal-CeKCfnVW.woff2
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/client/assets/index-vgEn_EkG.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License