registry  /  @frumu/tandem-panel  /  0.6.9

@frumu/tandem-panel@0.6.9

Web control center for Tandem authority-layer runtime: agents, workflows, memory, approvals, channels, and ops

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time attack behavior is established. User-invoked setup can install persistent first-party Tandem engine and control-panel services.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Run `tandem-control-panel init` or the CLI `service install` command.
Impact
Persistent local Tandem services may run with the invoking service configuration; no unconsented foreign AI-agent mutation or exfiltration was found.
Mechanism
Explicit OS service installation and local control-panel runtime launch.
Rationale
No concrete malicious chain was found, but explicit setup creates persistent AI-runtime services. Treat the lifecycle capability as a warning rather than a publish block.
Evidence
package.jsonbin/cli.jsbin/service-runner.jslib/setup/services/systemd.jslib/setup/services/launchd.jsserver/routes/knowledgebase.jsdist/assets/vendor-BtvK_bPf.jsbin/setup.jslib/setup/bootstrap.jslib/setup/env.js

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `bin/cli.js` explicit `init` installs OS services unless `--no-service`/`--foreground` is set.
  • `lib/setup/services/systemd.js` and `launchd.js` create persistent Tandem engine/control-panel service units.
  • `bin/service-runner.js` starts the package panel and `@frumu/tandem` engine with inherited environment.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • Persistence is reached through user-invoked CLI commands, not package installation.
  • Network code proxies configured Tandem/knowledgebase endpoints; no hard-coded exfiltration host found.
  • Dynamic resolution is limited to the declared `@frumu/tandem` engine entrypoint.
  • The reported Unicode controls in `dist/assets/vendor-BtvK_bPf.js` are BOM bytes in bundled vendor code, not concealed source logic.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 89 file(s), 3.51 MB of source, external domains: 127.0.0.1, aistudio.google.com, api.githubcopilot.com, api.minimax.io, api.together.xyz, chatgpt.com, console.anthropic.com, console.aws.amazon.com, console.cloud.google.com, console.groq.com, console.mistral.ai, dashboard.cohere.com, docs.github.com, example.com, git-scm.com, github.com, json-schema.org, openrouter.ai, platform.openai.com, portal.azure.com, reactflow.dev, search.tandem.ac, www.apple.com, www.w3.org

Source & flagged code

5 flagged · loading source
dist/assets/index-FTt5P2sf.jsView file
2import{A as e,C as t,E as n,O as r,T as i,_ as a,j as o,k as s,l as c,p as l,v as u,x as d,y as f}from"./fullcalendar-DqS3A04L.js";import{t as p}from"./preact-vendor-gh6CZX8y.js";i... L3: `),id:n,event:r,retry:i}}function ze(e){let t=e.data.trim();if(!t)return null;try{let n=JSON.parse(t),r;if(n&&typeof n==`object`&&typeof n.cursor==`number`&&n.event&&typeof n.event... L4: `)}function Lt(e){let t=String(e?.approval_id||e?.id||``),n=String(e?.run_id||``);return{request_id:t,source:`aca_external_action`,tenant:{org_id:`local`,workspace_id:`aca`},run_id...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/assets/index-FTt5P2sf.jsView on unpkg · L2
bin/setup.jsView file
2L3: import { spawn } from "child_process"; L4: import { createServer } from "http"; L5: import { readFileSync, existsSync, createReadStream, createWriteStream } from "fs"; ... L82: for (const [key, value] of Object.entries(parsed)) { L83: if (process.env[key] === undefined) process.env[key] = value; L84: } ... L89: const name = String(username || "").trim(); L90: if (!name) return homedir(); L91: try { L92: const passwd = readFileSync("/etc/passwd", "utf8"); L93: for (const line of passwd.split(/\r?\n/)) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

bin/setup.jsView on unpkg · L2
bin/cli.jsView file
3Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, execution+network L3: import { basename } from "path"; L4: import { spawn } from "child_process"; L5: import { fileURLToPath } from "url"; ... L23: stdio: "inherit", L24: env: process.env, L25: }); ... L33: const serviceUser = String(cli.value("service-user") || process.env.SUDO_USER || process.env.USER || "").trim(); L34: const homeDir = (await resolveUserHome(serviceUser || process.env.USER, process.platform)) || paths.home; L35: const options = { ... L118: console.log("Mobile pairing is not implemented in this build."); L119: console.log(`Control panel: http://${doctor.panelHost}:${doctor.panelPort}`); L120: console.log(`Public URL: ${doctor.panelPublicUrl || "(not configured)"}`);
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bin/cli.jsView on unpkg · L3
dist/assets/vendor-BtvK_bPf.jsView file
153contains invisible/control Unicode U+FEFF (zero width no-break space) `};delete e.items,Object.assign(e,{type:n,source:t,end:[r]});break}default:{let r=`indent`in e?e.indent:-1,i=`end`in e&&Array.isArray(e.end)?e.end.filter(e=>e.type===`space`||e.type===`comment`||e.type===`newline`):[];for(let t of Object.ke
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

dist/assets/vendor-BtvK_bPf.jsView on unpkg · L153
bin/service-local.shView file
path = bin/service-local.sh kind = build_helper sizeBytes = 1892 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/service-local.shView on unpkg

Findings

1 Critical1 High5 Medium6 Low
CriticalTrojan Source Unicodedist/assets/vendor-BtvK_bPf.js
HighEntrypoint Build Divergencebin/cli.js
MediumDynamic Requiredist/assets/index-FTt5P2sf.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/service-local.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptobin/setup.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings