registry  /  @guangnao/agent-cli  /  1.4.8

@guangnao/agent-cli@1.4.8

AgentOS terminal CLI — drive a real LLM agent on the microkernel; strongest-UX shell, advanced agent core

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 749 KB of source, external domains: 127.0.0.1, aistudio.google.com, api.anthropic.com, api.deepseek.com, api.guangnao.com, api.openai.com, auth.openai.com, chatgpt.com, console.anthropic.com, generativelanguage.googleapis.com, guangnao.com, platform.deepseek.com, platform.openai.com

Source & flagged code

7 flagged · loading source
dist/cli.jsView file
7207// src/tools/shell.ts L7208: import { exec } from "node:child_process"; L7209:
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L7207
7226const id = `bg_${++this.seq}`; L7227: const proc = spawn(command, { shell: true, cwd, stdio: ["ignore", "pipe", "pipe"] }); L7228: const job = { id, command, proc, buf: "", cursor: 0, status: "running", code: null, startedAt: Date.now() };
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L7226
7328schema: { name: "shell", description: "run a shell command and return stdout/stderr + exit code. Pass background:true for a long-running command (dev server, watch, tail) \u2014 it... L7329: command: { type: "string", description: "the command line to run (sh -c)" }, L7330: cwd: { type: "string", description: "working directory (optional; defaults to where agentos was launched)" }, ... L7335: if (!command || !command.trim()) return { error: "empty command" }; L7336: const dir = cwd || process.env["AGENTOS_CWD"] || process.cwd(); L7337: if (background) { ... L7340: } L7341: return new Promise((resolve4) => { L7342: exec(command, { cwd: dir, timeout: 3e4, maxBuffer: 1 << 20 }, (err, stdout, stderr) => {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli.jsView on unpkg · L7328
19628if (paintTimer) clearInterval(paintTimer); L19629: if (tty) process.stderr.write("\n"); L19630: try { ... L19635: closeLocal(); L19636: resolve4(); L19637: }; ... L19643: // src/cli.ts L19644: import { spawnSync, spawn as spawn8 } from "node:child_process"; L19645: import { homedir as homedir11 } from "node:os";
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli.jsView on unpkg · L19628
191function charWidth(ch) { L192: const cc = ch.length === 1 ? ch.charCodeAt(0) : -1; L193: if (cc >= 32 && cc <= 126) return 1; ... L285: GLYPH_MARKERS = /* @__PURE__ */ new Set(["\u23FA", "\u23BF", "\u2713", "\u2717", "\u25B8", "\u25CC", "\xB7", "-", "*", "!", "?", "\u25CF", "\u2514", "\xD7", "\u25BA", "\u25CB"]); L286: legacyWin = process.platform === "win32" && !process.env["WT_SESSION"] && process.env["TERM_PROGRAM"] !== "vscode" && !/xterm|screen|vt100/i.test(process.env["TERM"] ?? ""); L287: GLYPH = { ... L366: function terminalWidth() { L367: return process.stdout.columns || 80; L368: } ... L1257: graph[models[i]] = { L1258: // http://jsperf.com/1-vs-infinity L1259: // micro-opt, but this is simple.
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/cli.jsView on unpkg · L191
6583var openaiResponses = (cfg2) => { L6584: const base4 = (cfg2.baseUrl ?? "https://api.openai.com/v1").replace(/\/$/, ""); L6585: const headers = { "Content-Type": "application/json", Authorization: `Bearer ${cfg2.apiKey}` }; ... L7207: // src/tools/shell.ts L7208: import { exec } from "node:child_process"; L7209: ... L7391: try { L7392: const content = readFileSync(abs, "utf8"); L7393: const total = content.length; ... L9771: if (b.goal) parts.push(`Goal: ${b.goal}`); L9772: if (b.tools?.length) parts.push(`Available tools: ${b.tools.join(", ")}`); L9773: if (b.lessons?.length) parts.push(`Lessons to bake in:
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/cli.jsView on unpkg · L6583
1539"use strict"; L1540: var os = __require("os"); L1541: var tty = __require("tty");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L1539

Findings

6 High4 Medium6 Low
HighChild Processdist/cli.js
HighShelldist/cli.js
HighSame File Env Network Executiondist/cli.js
HighCommand Output Exfiltrationdist/cli.js
HighSandbox Evasion Gated Capabilitydist/cli.js
HighRemote Agent Bridgedist/cli.js
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings