registry  /  @evoscientist/webui  /  0.1.9

@evoscientist/webui@0.1.9

Web UI for EvoScientist — a self-evolving AI scientist built on DeepAgents/LangGraph.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The local UI offers a user-invoked skill installer. It fetches a GitHub skills catalog and writes selected skill files under the package-owned EvoScientist configuration area.

Static reason
No blocking static signals were detected.
Trigger
User runs `evoscientist-webui` and submits a same-origin `POST /api/skills/install` request.
Impact
Remote content can become a first-party EvoScientist agent extension; no install-time mutation, credential harvesting, or stealth persistence was found.
Mechanism
Downloads remote skills and atomically installs them under `~/.evoscientist/skills/<name>`.
Rationale
Source inspection confirms user-invoked remote agent-extension installation into the EvoScientist-owned configuration area. Per policy this warrants a warning, while the absence of lifecycle hooks and malicious execution chains does not support a block.
Evidence
package.jsonbin/evoscientist-webui.mjsdist/server.jsdist/.next/server/app/api/skills/install/route.jsdist/.next/server/chunks/[root-of-the-server]__0-8pt0b._.jsdist/.next/server/chunks/[root-of-the-server]__0cnmh23._.jsdist/.next/server/app/icon.png.body~/.evoscientist/skills/<name>~/.config/evoscientist/config.yaml
Network endpoints4
api.github.com/repos/${s}/commits/${o}api.github.com/repos/${s}/git/trees/${t}?recursive=1raw.githubusercontent.com/${s}/${e}/${t}127.0.0.1:${e}

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `/api/skills/install` downloads GitHub catalog files into `~/.evoscientist/skills/<name>`.
  • Skill installation is reachable at runtime through the local UI, not an npm lifecycle hook.
  • The installer validates skill names and resolved paths, but installs remote agent-extension content.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` script.
  • `bin/evoscientist-webui.mjs` only starts `dist/server.js`, polls localhost, and opens that URL.
  • Skill-install POST requests reject cross-origin `Origin` values.
  • The flagged `icon.png.body` is a valid 64×64 PNG.
  • No dynamic `eval`, `Function`, or VM execution was found in package-owned runtime chunks.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 9.52 KB of source, external domains: 127.0.0.1

Source & flagged code

5 flagged · loading source
bin/evoscientist-webui.mjsView file
1#!/usr/bin/env node L2: import { spawn, execSync } from "child_process"; L3: import { dirname, join, resolve } from "path";
High
Child Process

Package source references child process execution.

bin/evoscientist-webui.mjsView on unpkg · L1
1Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, execution+network L1: #!/usr/bin/env node L2: import { spawn, execSync } from "child_process"; L3: import { dirname, join, resolve } from "path"; ... L6: L7: const __dirname = dirname(fileURLToPath(import.meta.url)); L8: const pkgDir = resolve(__dirname, ".."); L9: const pkg = JSON.parse(readFileSync(join(pkgDir, "package.json"), "utf-8")); L10: const serverEntry = join(pkgDir, "dist", "server.js"); ... L25: Starts the EvoScientist Web UI and opens it in your browser. L26: Then enter your EvoScientist deployment URL (default http://127.0.0.1:6174) L27: from \`EvoSci deploy\` to connect. ... L41: port = parseInt(args[portIdx + 1], 10);
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bin/evoscientist-webui.mjsView on unpkg · L1
41port = parseInt(args[portIdx + 1], 10); L42: } else if (process.env.PORT && !Number.isNaN(parseInt(process.env.PORT, 10))) { L43: port = parseInt(process.env.PORT, 10); ... L45: L46: const url = `http://localhost:${port}`; L47: console.log(` ⏳ Starting EvoScientist Web UI on ${url} …`); L48: L49: const child = spawn(process.execPath, [serverEntry], { L50: stdio: "inherit",
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

bin/evoscientist-webui.mjsView on unpkg · L41
dist/.next/server/app/icon.png.bodyView file
path = dist/.next/server/app/icon.png.body kind = high_entropy_blob sizeBytes = 7007 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/.next/server/app/icon.png.bodyView on unpkg
path = dist/.next/server/app/icon.png.body kind = payload_in_excluded_dir sizeBytes = 7007 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

dist/.next/server/app/icon.png.bodyView on unpkg

Findings

6 High3 Medium3 Low
HighChild Processbin/evoscientist-webui.mjs
HighShell
HighEntrypoint Build Divergencebin/evoscientist-webui.mjs
HighSame File Env Network Executionbin/evoscientist-webui.mjs
HighShips High Entropy Blobdist/.next/server/app/icon.png.body
HighPayload In Excluded Dirdist/.next/server/app/icon.png.body
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings