registry  /  @drdeeks/character-kit  /  1.0.3

@drdeeks/character-kit@1.0.3

Universal agent character enforcement, knowledge indexing, and memory with YAML frontmatter. True plugin: install once, reference as @character-kit in any harness config.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `ack install` or `node/bin/install.js`; root deployment requires explicitly running `deploy/deploy-agent-enforcer.sh` as root.
Impact
Can persist package-owned agent enforcement and write configured workspace state.
Mechanism
Detached local daemon, monitor, watchdog, and optional systemd service.
Rationale
This is explicit-user agent-control and persistence tooling, not unconsented npm lifecycle mutation or concrete malicious behavior. Warn rather than block.
Evidence
package.jsonnode/bin/install.jsnode/bin/ack.jsnode/enforcer/agent_enforcer_daemon.jsdeploy/deploy-agent-enforcer.shpython/agent_character_kit/enforcer.pydeploy/agent-enforcer.service
Network endpoints1
tcp://127.0.0.1:8753

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • Root `package.json` has no lifecycle hook.
  • `node/bin/install.js` starts detached daemon, monitor, and watchdog.
  • Installer writes workspace `.agent` files and `.env` configuration.
  • Daemon exposes local Unix socket or loopback TCP enforcement.
Evidence against
  • No outbound HTTP client, download, or credential exfiltration found.
  • No eval, vm, or remote payload execution found.
  • Systemd deployment requires explicit root-run shell script.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 139 KB of source, external domains: www.apple.com

Source & flagged code

14 flagged · loading source
python/agent_character_kit/enforcer.pyView file
248patternName = private_key_rsa severity = critical line = 248 matchedText = "ghp_", ...-"):
Critical
Critical Secret

Package contains a critical-looking secret pattern.

python/agent_character_kit/enforcer.pyView on unpkg · L248
248patternName = private_key_rsa severity = critical line = 248 matchedText = "ghp_", ...-"):
Critical
Secret Pattern

RSA private key in python/agent_character_kit/enforcer.py

python/agent_character_kit/enforcer.pyView on unpkg · L248
node/bin/install.jsView file
26import readline from "readline"; L27: import { spawn } from "child_process"; L28: import { fileURLToPath, pathToFileURL } from "url";
High
Child Process

Package source references child process execution.

node/bin/install.jsView on unpkg · L26
node/bin/aik.jsView file
14const getMemory = async () => (await import("../src/memory/index.js")).Memory; L15: import { spawn } from "child_process"; L16: import { fileURLToPath } from "url"; ... L50: L51: const payload = input ? JSON.parse(input) : {}; L52: const result = await processToolCall(payload, { framework: opts.framework }); L53: console.log(JSON.stringify(result.output)); L54: process.exit(result.exitCode); L55: }); ... L116: child = spawn(process.execPath, [daemonScript], { L117: env: process.env, L118: stdio: "inherit",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

node/bin/aik.jsView on unpkg · L14
node/enforcer/agent_enforcer_daemon.jsView file
23const m = line.match(/^\s*([A-Z0-9_]+)\s*=\s*(.*)\s*$/); L24: if (m && !(m[1] in process.env)) process.env[m[1]] = m[2]; L25: } ... L27: L28: import net from "net"; L29: import fs from "fs"; ... L31: import path from "path"; L32: import { execSync } from "child_process"; L33: import yaml from "js-yaml";
Critical
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution with blocking evidence.

node/enforcer/agent_enforcer_daemon.jsView on unpkg · L23
110patternName = private_key_rsa severity = critical line = 110 matchedText = "Command...).",
Critical
Secret Pattern

RSA private key in node/enforcer/agent_enforcer_daemon.js

node/enforcer/agent_enforcer_daemon.jsView on unpkg · L110
118patternName = private_key_rsa severity = critical line = 118 matchedText = "ghp_", ...--",
Critical
Secret Pattern

RSA private key in node/enforcer/agent_enforcer_daemon.js

node/enforcer/agent_enforcer_daemon.jsView on unpkg · L118
295patternName = private_key_rsa severity = critical line = 295 matchedText = "glpat-"...)) {
Critical
Secret Pattern

RSA private key in node/enforcer/agent_enforcer_daemon.js

node/enforcer/agent_enforcer_daemon.jsView on unpkg · L295
python/tests/python_parity_test.pyView file
path = python/tests/python_parity_test.py kind = payload_in_excluded_dir sizeBytes = 2981 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

python/tests/python_parity_test.pyView on unpkg
path = python/tests/python_parity_test.py kind = build_helper sizeBytes = 2981 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

python/tests/python_parity_test.pyView on unpkg
python/example_workspace/.agent/habits/no-credential-leak.yamlView file
18patternName = private_key_rsa severity = critical line = 18 matchedText = - "Comma...-)."
Critical
Secret Pattern

RSA private key in python/example_workspace/.agent/habits/no-credential-leak.yaml

python/example_workspace/.agent/habits/no-credential-leak.yamlView on unpkg · L18
34patternName = private_key_rsa severity = critical line = 34 matchedText = - "-----...---"
Critical
Secret Pattern

RSA private key in python/example_workspace/.agent/habits/no-credential-leak.yaml

python/example_workspace/.agent/habits/no-credential-leak.yamlView on unpkg · L34
node/examples/.agent/habits/no-credential-leak.yamlView file
18patternName = private_key_rsa severity = critical line = 18 matchedText = - "Comma...-)."
Critical
Secret Pattern

RSA private key in node/examples/.agent/habits/no-credential-leak.yaml

node/examples/.agent/habits/no-credential-leak.yamlView on unpkg · L18
34patternName = private_key_rsa severity = critical line = 34 matchedText = - "-----...---"
Critical
Secret Pattern

RSA private key in node/examples/.agent/habits/no-credential-leak.yaml

node/examples/.agent/habits/no-credential-leak.yamlView on unpkg · L34

Findings

10 Critical3 High4 Medium4 Low
CriticalCritical Secretpython/agent_character_kit/enforcer.py
CriticalSame File Env Network Executionnode/enforcer/agent_enforcer_daemon.js
CriticalSecret Patternpython/agent_character_kit/enforcer.py
CriticalSecret Patternpython/example_workspace/.agent/habits/no-credential-leak.yaml
CriticalSecret Patternpython/example_workspace/.agent/habits/no-credential-leak.yaml
CriticalSecret Patternnode/enforcer/agent_enforcer_daemon.js
CriticalSecret Patternnode/enforcer/agent_enforcer_daemon.js
CriticalSecret Patternnode/enforcer/agent_enforcer_daemon.js
CriticalSecret Patternnode/examples/.agent/habits/no-credential-leak.yaml
CriticalSecret Patternnode/examples/.agent/habits/no-credential-leak.yaml
HighChild Processnode/bin/install.js
HighShell
HighPayload In Excluded Dirpython/tests/python_parity_test.py
MediumEnvironment Vars
MediumInstall Persistencenode/bin/aik.js
MediumShips Build Helperpython/tests/python_parity_test.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings