registry  /  @frumu/tandem-panel  /  0.6.8

@frumu/tandem-panel@0.6.8

Web control center for Tandem authority-layer runtime: agents, workflows, memory, approvals, channels, and ops

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No malicious install-time attack was confirmed. The real risk is explicit user-command setup of first-party persistent Tandem engine/control-panel services and agent workflow configuration.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs tandem-setup init/service or tandem-control-panel run/doctor.
Impact
Can create persistent local services and local config/state files for the Tandem agent control panel; no unconsented foreign AI-agent control mutation or exfiltration found.
Mechanism
user-invoked first-party service setup and local control-panel runtime
Rationale
This is not malicious, but it has agent lifecycle risk because explicit setup can install persistent first-party services for an agent/control-panel runtime. The risky primitives are package-aligned and user-invoked, so blocking as malware would be a false positive.
Evidence
package.jsonbin/cli.jsbin/init-env.jsbin/setup.jsbin/service-runner.jslib/setup/env.jslib/setup/bootstrap.jslib/setup/services/systemd.jslib/setup/services/launchd.jslib/setup/control-panel-config.js~/.config/tandem/control-panel.env~/.local/share/tandem/data/config.json~/.local/share/tandem/control-panel/etc/systemd/system/tandem-engine.service/etc/systemd/system/tandem-control-panel.service/Library/LaunchDaemons/ai.frumu.tandem.engine.plist/Library/LaunchDaemons/ai.frumu.tandem.control-panel.plist
Network endpoints5
search.tandem.acapi.githubcopilot.com/mcp/127.0.0.1:39731127.0.0.1:39732127.0.0.1:39733

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/cli.js user-invoked init/service can install persistent systemd/launchd services.
  • lib/setup/services/systemd.js writes /etc/systemd/system/tandem-engine.service and tandem-control-panel.service.
  • lib/setup/services/launchd.js writes /Library/LaunchDaemons ai.frumu.tandem engine/panel plists.
  • lib/setup/control-panel-config.js defaults include GitHub Copilot MCP URL for agent workflow integration.
Evidence against
  • package.json has no install/preinstall/postinstall hook; only prepublishOnly build.
  • bin/cli.js setup and service installation require explicit CLI commands, not import/install time.
  • lib/setup/env.js generates local Tandem env/config/state files; no credential harvesting or exfiltration found.
  • bin/service-runner.js launches first-party @frumu/tandem engine and local panel only.
  • dist/assets/vendor-DaS45vkz.js invisible Unicode matches bundled YAML BOM/control tokens, not reviewer/prompt manipulation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 86 file(s), 3.25 MB of source, external domains: 127.0.0.1, aistudio.google.com, api.githubcopilot.com, api.minimax.io, api.together.xyz, chatgpt.com, console.anthropic.com, console.aws.amazon.com, console.cloud.google.com, console.groq.com, console.mistral.ai, dashboard.cohere.com, docs.github.com, example.com, git-scm.com, github.com, json-schema.org, openrouter.ai, platform.openai.com, portal.azure.com, search.tandem.ac, www.apple.com, www.w3.org

Source & flagged code

4 flagged · loading source
bin/setup.jsView file
2L3: import { spawn } from "child_process"; L4: import { createServer } from "http"; L5: import { readFileSync, existsSync, createReadStream, createWriteStream } from "fs"; ... L82: for (const [key, value] of Object.entries(parsed)) { L83: if (process.env[key] === undefined) process.env[key] = value; L84: } ... L89: const name = String(username || "").trim(); L90: if (!name) return homedir(); L91: try { L92: const passwd = readFileSync("/etc/passwd", "utf8"); L93: for (const line of passwd.split(/\r?\n/)) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/setup.jsView on unpkg · L2
bin/cli.jsView file
3Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, execution+network L3: import { basename } from "path"; L4: import { spawn } from "child_process"; L5: import { fileURLToPath } from "url"; ... L23: stdio: "inherit", L24: env: process.env, L25: }); ... L33: const serviceUser = String(cli.value("service-user") || process.env.SUDO_USER || process.env.USER || "").trim(); L34: const homeDir = (await resolveUserHome(serviceUser || process.env.USER, process.platform)) || paths.home; L35: const options = { ... L118: console.log("Mobile pairing is not implemented in this build."); L119: console.log(`Control panel: http://${doctor.panelHost}:${doctor.panelPort}`); L120: console.log(`Public URL: ${doctor.panelPublicUrl || "(not configured)"}`);
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bin/cli.jsView on unpkg · L3
dist/assets/vendor-DaS45vkz.jsView file
153contains invisible/control Unicode U+FEFF (zero width no-break space) `};delete e.items,Object.assign(e,{type:n,source:t,end:[r]});break}default:{let r=`indent`in e?e.indent:-1,i=`end`in e&&Array.isArray(e.end)?e.end.filter(e=>e.type===`space`||e.type===`comment`||e.type===`newline`):[];for(let t of Object.ke
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/assets/vendor-DaS45vkz.jsView on unpkg · L153
bin/service-local.shView file
path = bin/service-local.sh kind = build_helper sizeBytes = 1892 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/service-local.shView on unpkg

Findings

1 Critical1 High5 Medium6 Low
CriticalTrojan Source Unicodedist/assets/vendor-DaS45vkz.js
HighEntrypoint Build Divergencebin/cli.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/service-local.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptobin/setup.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings