registry  /  @fased/fased  /  0.1.62

@fased/fased@0.1.62

Fased Agent self-hosted AI gateway with channels, tools, plugins, and operator modules

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
Running `fased update`, `fased gateway install`, or package `prepare` inside a Git checkout.
Impact
Can persist and update the first-party Fased gateway runtime; no unconsented install-time foreign control-surface mutation was confirmed.
Mechanism
User-invoked managed runtime download, symlink activation, and service refresh.
Rationale
Source inspection does not support the scanner's malicious verdict. The package retains explicit-command service/update capability and a prepare-time Git hook mutation, so it should be warned rather than blocked.
Evidence
package.jsonfased.mjsdist/cli/update-cli/update-command.jsdist/cli/daemon-cli/install.jsdist/infra/managed-runtime-bootstrap.jsscripts/fased-managed-updater.mjsdist/infra/net/ssrf.jsdist/tui/tui-formatters.jsscripts/install-managed-runtime.mjsscripts/managed-runtime-layout.mjsscripts/fased-managed-launcher.sh
Network endpoints2
github.com/fased-ai/fased/releases/downloadregistry.npmjs.org

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `package.json` `prepare` sets Git `core.hooksPath` when run inside a work tree.
  • `dist/infra/managed-runtime-bootstrap.js` installs managed runtime files, symlinks, and an updater on Linux.
  • `scripts/fased-managed-updater.mjs` downloads and activates release artifacts, then reinstalls/restarts the gateway service.
  • `fased.mjs` imports and executes the CLI runtime when the user invokes `fased`.
  • Scanner's bidi finding is benign: `dist/tui/tui-formatters.js` uses RTL isolate characters as named formatting constants.
Evidence against
  • No `preinstall`, `install`, or `postinstall` lifecycle hook is declared.
  • Managed bootstrap is reached from explicit `fased update` and `gateway install` command paths.
  • Updater endpoints are fixed package-aligned GitHub Releases and npm registry URLs.
  • `dist/infra/net/ssrf.js` blocks private, internal, special-use, and resolved private addresses.
  • No inspected source showed credential harvesting, covert exfiltration, eval-based payload execution, or foreign AI-agent configuration writes.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3,121 file(s), 24.1 MB of source, external domains: 127.0.0.1, 192.168.1.100, accounts.google.com, agent.example.com, ai-gateway.vercel.sh, aistudio.google.com, albumart.url, api.anthropic.com, api.botframework.com, api.chutes.ai, api.deepgram.com, api.devnet.solana.com, api.elevenlabs.io, api.exa.ai, api.example.com, api.firecrawl.dev, api.github.com, api.groq.com, api.individual.githubcopilot.com, api.jup.ag, api.kimi.com, api.mainnet-beta.solana.com, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.ai, api.moonshot.cn, api.openai.com, api.perplexity.ai, api.plivo.com, api.pluralkit.me, api.push.apple.com, api.sandbox.push.apple.com, api.search.brave.com, api.synthetic.new, api.tavily.com, api.telegram.org, api.telnyx.com, api.together.xyz, api.twilio.com, api.venice.ai, api.voyageai.com, api.x.ai, api.xiaomimimo.com, api.z.ai, ark.ap-southeast.bytepluses.com, ark.cn-beijing.volces.com, arweave.net, auth.x.ai, autopush-cloudcode-pa.sandbox.googleapis.com
Oversized source lightweight scan
dist/plugin-sdk/config-schema-BrkmtFxB.js4.16 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketHighEntropyStringsUrlStringsapi.github.comapi.push.apple.comapi.sandbox.push.apple.combrew.sh

Source & flagged code

8 flagged · loading source
dist/browser/config.jsView file
69patternName = generic_password severity = medium line = 69 matchedText = parsed.p...ed";
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/browser/config.jsView on unpkg · L69
dist/infra/git-commit.jsView file
19try { L20: const require = createRequire(import.meta.url); L21: const pkg = require("../../package.json");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/infra/git-commit.jsView on unpkg · L19
extensions/voice-call/src/webhook-security.tsView file
76* L77: * @see https://www.twilio.[redacted]-security L78: */ ... L82: url: string, L83: params: URLSearchParams, L84: ): boolean { ... L90: L91: // HMAC-SHA1 with auth token, then base64 encode L92: const expectedSignature = crypto
Low
Weak Crypto

Package source references weak cryptographic algorithms.

extensions/voice-call/src/webhook-security.tsView on unpkg · L76
dist/infra/net/ssrf.jsView file
2import { normalizeHostname } from "./hostname.js"; L3: import { Agent } from "undici"; L4: import { lookup } from "node:dns"; L5: import { lookup as lookup$1 } from "node:dns/promises"; ... L31: } L32: function resolveAllowPrivateNetwork(policy) { L33: return policy?.dangerouslyAllowPrivateNetwork === true || policy?.allowPrivateNetwork === true;
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/infra/net/ssrf.jsView on unpkg · L2
dist/tui/tui-formatters.jsView file
18contains invisible/control Unicode U+2067 (right-to-left isolate) const RTL_ISOLATE_START = "<U+2067>";
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/tui/tui-formatters.jsView on unpkg · L18
scripts/fased-managed-launcher.shView file
path = scripts/fased-managed-launcher.sh kind = build_helper sizeBytes = 1983 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/fased-managed-launcher.shView on unpkg
dist/plugin-sdk/config-schema-BrkmtFxB.jsView file
path = dist/plugin-sdk/config-schema-BrkmtFxB.js kind = oversized_source_file sizeBytes = 4361970 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/plugin-sdk/config-schema-BrkmtFxB.jsView on unpkg
dist/infra/managed-runtime-bootstrap.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @fased/fased@0.1.60 matchedIdentity = npm:QGZhc2VkL2Zhc2Vk:0.1.60 similarity = 0.683 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/infra/managed-runtime-bootstrap.jsView on unpkg

Findings

1 Critical3 High6 Medium8 Low
CriticalTrojan Source Unicodedist/tui/tui-formatters.js
HighCloud Metadata Accessdist/infra/net/ssrf.js
HighOversized Source Filedist/plugin-sdk/config-schema-BrkmtFxB.js
HighPrevious Version Dangerous Deltadist/infra/managed-runtime-bootstrap.js
MediumSecret Patterndist/browser/config.js
MediumDynamic Requiredist/infra/git-commit.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/fased-managed-launcher.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEval
LowWeak Cryptoextensions/voice-call/src/webhook-security.ts
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings