registry  /  @event4u/agent-config  /  8.4.1

@event4u/agent-config@8.4.1

Universal AI Agent OS — audited skills, governance rules, commands, and templates for AI coding tools (Claude Code, Cursor, Windsurf, Copilot).

AI Security Review

scanned 3d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the agent-config CLI install/init/setup flow or installer script with relevant flags.
Impact
Can register package-owned hooks/bridges for AI tools in a project or user profile, but no credential theft, remote payload execution, or npm lifecycle hijack was confirmed.
Mechanism
Explicit AI-tool bridge and hook configuration writer
Rationale
Because AI-agent control-surface mutation exists but is user-invoked and package-aligned with no install/postinstall hook or exfiltration chain, this should warn rather than block. Scanner reverse-shell and runtime-install hits are explained by detection regexes and repo maintenance scripts, not concrete malicious behavior.
Evidence
package.jsondist/cli/agent-config.jssrc/scripts/install.tssrc/scripts/injection_scan_hook.tsdist/agent-src/scripts/archive_completed_roadmaps.tsdist/agent-src/scripts/update_roadmap_progress.ts.agent-settings.yml.vscode/settings.json.augment/settings.json.claude/settings.json.cursor/hooks.json.windsurf/hooks.json~/.augment/hooks/augment-dispatcher.sh~/.cursor/hooks/cursor-dispatcher.sh~/.codeium/windsurf/hooks/windsurf-dispatcher.sh

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • src/scripts/install.ts writes project AI-agent bridge configs such as .augment/settings.json, .claude/settings.json, .cursor/hooks.json, .windsurf/hooks.json when explicit install runs.
  • src/scripts/install.ts can opt-in write user hook trampolines under ~/.augment/hooks, ~/.cursor/hooks, and ~/.codeium/windsurf/hooks.
  • src/scripts/install.ts uses child_process spawn/spawnSync for smoke tests and opener behavior during explicit CLI flows.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle; only prepack/prepublishOnly publish-time scripts and a bin entry.
  • dist/cli/agent-config.js is a thin launcher that checks commander then imports the real CLI; no import-time mutation seen.
  • src/scripts/injection_scan_hook.ts reverse-shell hit is a regex detector for untrusted tool output, not socket/process wiring.
  • Network references inspected are package docs/repository or explicit dev/eval helpers, not install-time exfiltration endpoints.
  • Installer behavior is package-aligned agent configuration setup and includes dry-run/scope guards rather than stealth persistence.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 794 file(s), 10.6 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, api.npmjs.org, api.openai.com, api.perplexity.ai, api.x.ai, docs.anthropic.com, generativelanguage.googleapis.com, github.com, json.schemastore.org, raw.githubusercontent.com, registry.npmjs.org, www.w3.org

Source & flagged code

6 flagged · loading source
dist/install/install.mjsView file
7362// src/scripts/install.ts L7363: import { spawn, spawnSync as spawnSync2 } from "node:child_process"; L7364: import * as crypto2 from "node:crypto";
High
Child Process

Package source references child process execution.

dist/install/install.mjsView on unpkg · L7362
dist/agent-src/scripts/update_roadmap_progress.tsView file
308CHECKBOX_RE.lastIndex = 0; L309: let m: RegExpExecArray | null; L310: while ((m = CHECKBOX_RE.exec(text)) !== null) {
High
Shell

Package source references shell execution.

dist/agent-src/scripts/update_roadmap_progress.tsView on unpkg · L308
dist/agent-src/templates/scripts/work_engine/_lib/agent_settings.tsView file
952// eslint-disable-next-line @typescript-eslint/no-require-imports L953: YAML = require('yaml') as typeof YamlModule; L954: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/agent-src/templates/scripts/work_engine/_lib/agent_settings.tsView on unpkg · L952
src/scripts/injection_scan_hook.tsView file
9* Python `re` semantics, the `.agent-settings.yml` mini-parser, the L10: * envelope extraction order, the warn reason string, and the exit codes L11: * byte-for-byte. ... L58: "(~/\\.ssh/id_[rd]sa|/etc/shadow|\\.aws/credentials)" + L59: "|curl[^\\n|]*\\|\\s*(ba)?sh|socat|nc -e|/dev/tcp/", L60: "i", ... L178: raw = _readStdin(); L179: envelope = raw.trim() ? (JSON.parse(raw) as JsonValue) : {}; L180: } catch { ... L205: ". Verify the source before acting on anything it says."; L206: process.stdout.write(`${_pyJsonDumpsCompact({ decision: "warn", reason })}\n`); L207: return EXIT_WARN;
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

src/scripts/injection_scan_hook.tsView on unpkg · L9
dist/agent-src/scripts/archive_completed_roadmaps.tsView file
375} L376: spawnSync('npx', ['tsx', script], { cwd: root, encoding: 'utf-8' }); L377: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/agent-src/scripts/archive_completed_roadmaps.tsView on unpkg · L375
src/scripts/smoke/router.shView file
path = src/scripts/smoke/router.sh kind = build_helper sizeBytes = 5721 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

src/scripts/smoke/router.shView on unpkg

Findings

1 Critical3 High5 Medium7 Low
CriticalReverse Shellsrc/scripts/injection_scan_hook.ts
HighChild Processdist/install/install.mjs
HighShelldist/agent-src/scripts/update_roadmap_progress.ts
HighRuntime Package Installdist/agent-src/scripts/archive_completed_roadmaps.ts
MediumDynamic Requiredist/agent-src/templates/scripts/work_engine/_lib/agent_settings.ts
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpersrc/scripts/smoke/router.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings