registry  /  @easbot/agent  /  0.2.48

@easbot/agent@0.2.48

Core Agent for the easbot monorepo ecosystem

AI Security Review

scanned 1h ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by static inspection. The package is a full AI agent CLI with user-invoked shell, network, plugin, and workflow setup capabilities.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit easbot CLI commands such as tui, gateway, acp, github install, debug agent, or model/provider use.
Impact
Potentially broad local automation when the user runs the agent, but no hidden exfiltration or unconsented install mutation was identified.
Mechanism
User-invoked AI agent runtime and integrations, not install-time malware.
Rationale
The scanner-highlighted primitives are real, but they are reachable through an explicit AI-agent CLI and documented integrations, with no npm lifecycle hook or hidden import-time path that mutates a foreign agent surface or exfiltrates secrets. This is high-capability software, not confirmed malware for the firewall boundary.
Evidence
package.jsondist/cli.mjsdist/chunks/chunk-NP366GVR.mjsdist/chunks/chunk-UX6LW3VS.mjsdist/chunks/github-SAI3OHBI.mjsdist/chunks/agent-XASWUE5W.mjs.github/workflows/opencode.yml~/.easbot/created~/.easbot/memory-bridge
Network endpoints3
models.devgithub.com/apps/opencode-agentapi.opencode.ai/get_github_app_installation

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/chunks/agent-XASWUE5W.mjs parses --params with new Function for the debug agent tool command.
  • dist/chunks/github-SAI3OHBI.mjs user-invoked github install runs git remote, opens browser, polls api.opencode.ai, and writes .github/workflows/opencode.yml.
  • dist/chunks/chunk-UX6LW3VS.mjs fetches model metadata from https://models.dev and caches it.
  • dist/chunks/chunk-NP366GVR.mjs contains AI-agent capabilities: shell/LSP spawning, dynamic provider import/install, local file and .easbot state access.
Evidence against
  • package.json has no preinstall/install/postinstall/prepare lifecycle hooks; only bin easbot points to dist/cli.mjs.
  • dist/cli.mjs initializes the CLI and parses explicit user commands; no install-time execution path found.
  • Network use is package-aligned for model metadata, configured providers, gateway, and explicit GitHub app setup.
  • Command execution appears tied to documented agent, LSP, debug, or GitHub-install workflows rather than hidden import-time exfiltration.
  • No hardcoded credential harvesting or stealth persistence endpoint found in inspected hot files.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 101 file(s), 2.45 MB of source, external domains: 127.0.0.1, abacus.ai, ai-gateway.helicone.ai, ai.google.dev, aihubmix.com, alipaytbox.yuque.com, api-inference.modelscope.cn, api-sherlock.cloudferro.com, api.302.ai, api.berget.ai, api.cloudflare.com, api.cortecs.ai, api.deepseek.com, api.easbot.cn, api.fireworks.ai, api.friendli.ai, api.github.com, api.githubcopilot.com, api.inceptionlabs.ai, api.inference.wandb.ai, api.intelligence.io.solutions, api.jiekou.ai, api.kilo.ai, api.kimi.com, api.llama.com, api.meganova.ai, api.minimax.io, api.minimaxi.com, api.moonshot.ai, api.moonshot.cn, api.morphllm.com, api.nova.amazon.com, api.novita.ai, api.openai-compat.model-serving.eu01.onstackit.cloud, api.openai.com, api.opencode.ai, api.poe.com, api.qhaigc.net, api.qnaigc.com.com, api.scaleway.ai, api.siliconflow.cn, api.siliconflow.com, api.stepfun.com, api.synthetic.new, api.tbox.cn, api.tokenfactory.nebius.com, api.upstage.ai, api.vivgrid.com, api.vultrinference.com, api.xiaomimimo.com

Source & flagged code

9 flagged · loading source
dist/chunks/chunk-NP366GVR.mjsView file
1import {b as b$5,a as a$c}from'./chunk-V7MUWRGD.mjs';import {b as b$2,a as a$a,c as c$2}from'./chunk-ED75EHDU.mjs';import {a as a$8}from'./chunk-677XZAV6.mjs';import {a as a$4,b,c ... L2: `));let i=await PKG.packageManager();if(!i){El.debug("No package manager found, skipping install");return}let a=proxied()?" --no-cache":"",l=process.platform==="win32"?"cmd":void 0...
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/chunks/chunk-NP366GVR.mjsView on unpkg · L1
1Trigger-reachable chain: manifest.bin -> dist/cli.mjs -> dist/chunks/scheduler-CGMKMH7R.mjs -> dist/chunks/chunk-NP366GVR.mjs L1: import {b as b$5,a as a$c}from'./chunk-V7MUWRGD.mjs';import {b as b$2,a as a$a,c as c$2}from'./chunk-ED75EHDU.mjs';import {a as a$8}from'./chunk-677XZAV6.mjs';import {a as a$4,b,c ... L2: `));let i=await PKG.packageManager();if(!i){El.debug("No package manager found, skipping install");return}let a=proxied()?" --no-cache":"",l=process.platform==="win32"?"cmd":void 0...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunks/chunk-NP366GVR.mjsView on unpkg · L1
1import {b as b$5,a as a$c}from'./chunk-V7MUWRGD.mjs';import {b as b$2,a as a$a,c as c$2}from'./chunk-ED75EHDU.mjs';import {a as a$8}from'./chunk-677XZAV6.mjs';import {a as a$4,b,c ... L2: `));let i=await PKG.packageManager();if(!i){El.debug("No package manager found, skipping install");return}let a=proxied()?" --no-cache":"",l=process.platform==="win32"?"cmd":void 0...
High
Child Process

Package source references child process execution.

dist/chunks/chunk-NP366GVR.mjsView on unpkg · L1
932${jA()}`;return Jr.run({source:o.sessionId,title:"memory-extract",agent:"memory",syncMessages:false,parts:[{type:"memory",status:"processing",time:{start:d}},{type:"text",text:h}]}... L933: Agent: ${r}`,duration:Date.now()-s,metadata:{agent:r,title:a}}}catch(r){return Bp.error("Agent Hook execution failed",{error:r?.message,stack:r?.stack}),{success:false,modified:fal... L934:
High
Eval

Package source references dynamic code evaluation.

dist/chunks/chunk-NP366GVR.mjsView on unpkg · L932
1import {b as b$5,a as a$c}from'./chunk-V7MUWRGD.mjs';import {b as b$2,a as a$a,c as c$2}from'./chunk-ED75EHDU.mjs';import {a as a$8}from'./chunk-677XZAV6.mjs';import {a as a$4,b,c ... L2: `));let i=await PKG.packageManager();if(!i){El.debug("No package manager found, skipping install");return}let a=proxied()?" --no-cache":"",l=process.platform==="win32"?"cmd":void 0...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/chunks/chunk-NP366GVR.mjsView on unpkg · L1
1import {b as b$5,a as a$c}from'./chunk-V7MUWRGD.mjs';import {b as b$2,a as a$a,c as c$2}from'./chunk-ED75EHDU.mjs';import {a as a$8}from'./chunk-677XZAV6.mjs';import {a as a$4,b,c ... L2: `));let i=await PKG.packageManager();if(!i){El.debug("No package manager found, skipping install");return}let a=proxied()?" --no-cache":"",l=process.platform==="win32"?"cmd":void 0... ... L285: [[ -f ~/.zshenv ]] && source ~/.zshenv >/dev/null 2>&1 || true L286: [[ -f "\${ZDOTDIR:-$HOME}/.zshrc" ]] && source "\${ZDOTDIR:-$HOME}/.zshrc" >/dev/null 2>&1 || true L287: eval ${JSON.stringify(o.command)} ... L411: ${e==="powershell"?`Set-Location -LiteralPath "project${o}subdir"; if ($?) { pytest tests }`:`Set-Location -LiteralPath "project${o}subdir" && pytest tests`} L412: </bad-example>`}function fC(e,t){return `# cmd.exe shell notes L413: - Use double quotes for paths with spaces.
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/chunks/chunk-NP366GVR.mjsView on unpkg · L1
1Cross-file remote execution chain: dist/chunks/chunk-NP366GVR.mjs spawns dist/chunks/copilot-I52DJYYX.mjs; helper contains network access plus dynamic code execution. L1: import {b as b$5,a as a$c}from'./chunk-V7MUWRGD.mjs';import {b as b$2,a as a$a,c as c$2}from'./chunk-ED75EHDU.mjs';import {a as a$8}from'./chunk-677XZAV6.mjs';import {a as a$4,b,c ... L2: `));let i=await PKG.packageManager();if(!i){El.debug("No package manager found, skipping install");return}let a=proxied()?" --no-cache":"",l=process.platform==="win32"?"cmd":void 0... ... L285: [[ -f ~/.zshenv ]] && source ~/.zshenv >/dev/null 2>&1 || true L286: [[ -f "\${ZDOTDIR:-$HOME}/.zshrc" ]] && source "\${ZDOTDIR:-$HOME}/.zshrc" >/dev/null 2>&1 || true L287: eval ${JSON.stringify(o.command)} ... L411: ${e==="powershell"?`Set-Location -LiteralPath "project${o}subdir"; if ($?) { pytest tests }`:`Set-Location -LiteralPath "project${o}subdir" && pytest tests`} L412: </bad-example>`}function fC(e,t){return `# cmd.exe shell notes L413: - Use double quotes for paths with spaces.
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/chunks/chunk-NP366GVR.mjsView on unpkg · L1
23${i} L24: --- End ---`})}let s=Or.safeParse(o);if(s.success)return s.data;throw _l.error("Configuration validation failed",{path:t,issues:s.error.issues}),new So({path:t,issues:s.error.issue... L25: `).map(k=>k.trim()).filter(Boolean).map(k=>Pe__default.join(A.worktree,k))}}u.patch=i;async function a$2(m){e.info("restore",{commit:m});let h=c(),g=await $`git --git-dir ${h} --wo...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunks/chunk-NP366GVR.mjsView on unpkg · L23
1import {b as b$5,a as a$c}from'./chunk-V7MUWRGD.mjs';import {b as b$2,a as a$a,c as c$2}from'./chunk-ED75EHDU.mjs';import {a as a$8}from'./chunk-677XZAV6.mjs';import {a as a$4,b,c ... L2: `));let i=await PKG.packageManager();if(!i){El.debug("No package manager found, skipping install");return}let a=proxied()?" --no-cache":"",l=process.platform==="win32"?"cmd":void 0... ... L285: [[ -f ~/.zshenv ]] && source ~/.zshenv >/dev/null 2>&1 || true L286: [[ -f "\${ZDOTDIR:-$HOME}/.zshrc" ]] && source "\${ZDOTDIR:-$HOME}/.zshrc" >/dev/null 2>&1 || true L287: eval ${JSON.stringify(o.command)} ... L411: ${e==="powershell"?`Set-Location -LiteralPath "project${o}subdir"; if ($?) { pytest tests }`:`Set-Location -LiteralPath "project${o}subdir" && pytest tests`} L412: </bad-example>`}function fC(e,t){return `# cmd.exe shell notes L413: - Use double quotes for paths with spaces.
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/chunks/chunk-NP366GVR.mjsView on unpkg · L1

Findings

2 Critical5 High5 Medium4 Low
CriticalCommand Output Exfiltrationdist/chunks/chunk-NP366GVR.mjs
CriticalTrigger Reachable Dangerous Capabilitydist/chunks/chunk-NP366GVR.mjs
HighChild Processdist/chunks/chunk-NP366GVR.mjs
HighEvaldist/chunks/chunk-NP366GVR.mjs
HighSame File Env Network Executiondist/chunks/chunk-NP366GVR.mjs
HighSandbox Evasion Gated Capabilitydist/chunks/chunk-NP366GVR.mjs
HighCross File Remote Execution Contextdist/chunks/chunk-NP366GVR.mjs
MediumDynamic Requiredist/chunks/chunk-NP366GVR.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/chunks/chunk-NP366GVR.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings