registry  /  @fased/fased  /  0.1.45

@fased/fased@0.1.45

Fased Agent self-hosted AI gateway with channels, tools, plugins, and operator modules

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The prepare hook mutates Git's hooks-path setting when installation occurs in a Git worktree. It points to an absent package-relative directory and no hook payload was found. Runtime credential access is aligned with this self-hosted AI gateway's provider-auth capability, with no confirmed exfiltration chain.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm prepare in a Git worktree; explicit runtime provider authentication
Impact
Repository Git configuration changes; local model-provider credentials may be used by configured runtime features
Mechanism
Prepare-time Git config mutation; runtime local credential loading
Rationale
No concrete malicious behavior was confirmed. The guarded prepare-time Git configuration side effect remains a real lifecycle risk and merits a warning under the stated policy.
Evidence
package.jsonfased.mjsdist/entry.jsdist/infra/net/ssrf.jsdist/agents/cli-credentials.jsdist/tui/tui-formatters.jsscripts/fased-launcher-runtime.mjsdist/infra/git-commit.jsscripts/start-managed.sh

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • package.json `prepare` runs `git config core.hooksPath git-hooks` in any Git worktree.
  • dist/agents/cli-credentials.js can read local Claude/Codex/MiniMax credentials during runtime.
Evidence against
  • No preinstall/install/postinstall hook is declared.
  • No `git-hooks` directory is shipped, so the prepare hook installs no hook payload.
  • fased.mjs runs only as the explicit `fased` CLI entrypoint.
  • dist/infra/net/ssrf.js blocks localhost, cloud metadata, and private/internal IP targets.
  • dist/agents/cli-credentials.js contains no network request path; credentials are local runtime inputs.
  • No bidi control characters were found in dist/tui/tui-formatters.js.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3,090 file(s), 24.3 MB of source, external domains: 127.0.0.1, 192.168.1.100, accounts.google.com, agent.example.com, ai-gateway.vercel.sh, aistudio.google.com, albumart.url, api.anthropic.com, api.botframework.com, api.chutes.ai, api.deepgram.com, api.devnet.solana.com, api.elevenlabs.io, api.exa.ai, api.example.com, api.firecrawl.dev, api.github.com, api.groq.com, api.individual.githubcopilot.com, api.jup.ag, api.kimi.com, api.mainnet-beta.solana.com, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.ai, api.moonshot.cn, api.openai.com, api.perplexity.ai, api.plivo.com, api.pluralkit.me, api.push.apple.com, api.sandbox.push.apple.com, api.search.brave.com, api.synthetic.new, api.tavily.com, api.telegram.org, api.telnyx.com, api.together.xyz, api.twilio.com, api.venice.ai, api.voyageai.com, api.x.ai, api.xiaomimimo.com, api.z.ai, ark.ap-southeast.bytepluses.com, ark.cn-beijing.volces.com, arweave.net, auth.x.ai, autopush-cloudcode-pa.sandbox.googleapis.com
Oversized source lightweight scan
dist/plugin-sdk/pi-embedded-runner-XtyJMQqg.js3.29 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStringsapi.elevenlabs.ioapi.openai.com

Source & flagged code

7 flagged · loading source
dist/browser/config.jsView file
69patternName = generic_password severity = medium line = 69 matchedText = parsed.p...ed";
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/browser/config.jsView on unpkg · L69
dist/infra/git-commit.jsView file
19try { L20: const require = createRequire(import.meta.url); L21: const pkg = require("../../package.json");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/infra/git-commit.jsView on unpkg · L19
extensions/voice-call/src/webhook-security.tsView file
76* L77: * @see https://www.twilio.[redacted]-security L78: */ ... L82: url: string, L83: params: URLSearchParams, L84: ): boolean { ... L90: L91: // HMAC-SHA1 with auth token, then base64 encode L92: const expectedSignature = crypto
Low
Weak Crypto

Package source references weak cryptographic algorithms.

extensions/voice-call/src/webhook-security.tsView on unpkg · L76
dist/infra/net/ssrf.jsView file
2import { normalizeHostname } from "./hostname.js"; L3: import { Agent } from "undici"; L4: import { lookup } from "node:dns"; L5: import { lookup as lookup$1 } from "node:dns/promises"; ... L31: } L32: function resolveAllowPrivateNetwork(policy) { L33: return policy?.dangerouslyAllowPrivateNetwork === true || policy?.allowPrivateNetwork === true;
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/infra/net/ssrf.jsView on unpkg · L2
dist/tui/tui-formatters.jsView file
18contains invisible/control Unicode U+2067 (right-to-left isolate) const RTL_ISOLATE_START = "<U+2067>";
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/tui/tui-formatters.jsView on unpkg · L18
scripts/start-managed.shView file
path = scripts/start-managed.sh kind = build_helper sizeBytes = 57069 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/start-managed.shView on unpkg
dist/plugin-sdk/pi-embedded-runner-XtyJMQqg.jsView file
path = dist/plugin-sdk/pi-embedded-runner-XtyJMQqg.js kind = oversized_source_file sizeBytes = 3447569 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/plugin-sdk/pi-embedded-runner-XtyJMQqg.jsView on unpkg

Findings

1 Critical2 High6 Medium8 Low
CriticalTrojan Source Unicodedist/tui/tui-formatters.js
HighCloud Metadata Accessdist/infra/net/ssrf.js
HighOversized Source Filedist/plugin-sdk/pi-embedded-runner-XtyJMQqg.js
MediumSecret Patterndist/browser/config.js
MediumDynamic Requiredist/infra/git-commit.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/start-managed.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowWeak Cryptoextensions/voice-call/src/webhook-security.ts
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings