registry  /  @graphorin/agent  /  0.6.0

@graphorin/agent@0.6.0

Agent runtime for the Graphorin framework: createAgent({...}) factory, the typed model -> tool calls -> model loop, the AgentEvent<TOutput> discriminated event stream, steering / followUp queues, durable HITL approvals via runStateToJSON / runStateFromJSO

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Explicit progress-artifact writes can escape the configured artifact root through unsanitized path segments. No install-time attack, exfiltration, or remote payload path was found.

Static reason
No blocking static signals were detected.
Trigger
A consumer invokes agent progress writing with attacker-controlled `artifactRoot`, `runId`, or `role`.
Impact
Potential overwrite of files writable by the running process.
Mechanism
Path traversal through filesystem artifact-path construction.
Rationale
The package is not malicious by source inspection, but its exposed progress API has an unresolved arbitrary-file-write path traversal vulnerability. Flag it for warning rather than blocking publication.
Evidence
dist/progress/index.jsdist/factory.jsdist/types.d.tspackage.json

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `dist/progress/index.js` joins caller-controlled `artifactRoot`, `runId`, and `role` into write paths without containment checks.
  • `progress.write` uses recursive `mkdir`, `writeFile`, and `rename`, enabling a runtime path-traversal arbitrary-file-write primitive.
  • The progress API is exposed by the agent runtime for caller-invoked writes (`dist/types.d.ts`).
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle hook.
  • No package source uses network clients, shell execution, eval, VM loading, or environment harvesting.
  • `dist/index.js` only imports and exports runtime modules; import-time code shows no persistence or payload execution.
  • Filesystem writes are confined to the explicit progress-artifact feature rather than install-time behavior.
Behavioral surface
Source
ChildProcessCryptoFilesystem
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 172 KB of source

Source & flagged code

2 flagged · loading source
dist/progress/index.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/progress/index.js` joins caller-controlled `artifactRoot`, `runId`, and `role` into write paths without containment checks.

dist/progress/index.jsView on unpkg
dist/types.d.tsView file
Published source reference
Medium
Ai Review Evidence

The progress API is exposed by the agent runtime for caller-invoked writes (`dist/types.d.ts`).

dist/types.d.tsView on unpkg

Findings

3 Medium3 Low
MediumAi Review Evidencedist/progress/index.js
MediumAi Review Evidence
MediumAi Review Evidencedist/types.d.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings