registry  /  @intrect/openswarm  /  0.17.6

@intrect/openswarm@0.17.6

Autonomous AI agent orchestrator — Claude, GPT, Codex, and local models (Ollama/LMStudio/llama.cpp)

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `openswarm` commands or enables configured agent/daemon work.
Impact
The selected project and process-accessible credentials can be affected by configured agent tasks.
Mechanism
User-invoked agent shell/file/MCP/provider execution.
Rationale
Source supports a dangerous-capability warning, not a malicious block: powerful behavior is package-aligned and user-invoked, while install-time and covert malicious behavior were not found.
Evidence
package.jsondist/adapters/tools.jsdist/cli/daemon.jsdist/verify/runner.jsdist/auth/oauthStore.jsdist/cli/mcpCommand.jsdist/support/updateNotifier.jsdist/telemetry/telemetry.jsdist/adapters/webTools.js~/.config/openswarm/openswarm.pid~/.config/openswarm/logs/openswarm.log~/.openswarm/auth-profiles.json~/.openswarm/mcp.json<selected-project-root>/tmp
Network endpoints6
registry.npmjs.org/@intrect/openswarm/latesttelemetry.intrect.io/v1/openswarmauth.openai.com/oauth/tokenapi.linear.app/oauth/tokenchatgpt.com/backend-api/codex/responsesapi.openai.com/v1

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/adapters/tools.js` provides agent-callable project file writes, `bash -c`, web fetch/search, and MCP calls.
  • `dist/cli/daemon.js` starts a detached service and writes PID/log state after explicit `openswarm start`.
  • `dist/verify/runner.js` runs configured project commands through a shell in a temporary sandbox.
  • `dist/auth/oauthStore.js` persists OAuth profiles in `~/.openswarm/auth-profiles.json`.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • `dist/adapters/tools.js` confines file tools to the selected project root or `/tmp`.
  • `dist/cli/mcpCommand.js` mutates only first-party `~/.openswarm/mcp.json` via explicit `openswarm mcp` commands.
  • No source evidence of credential exfiltration, hidden payload retrieval, or mutation of foreign AI-agent configuration.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 237 file(s), 2.31 MB of source, external domains: 127.0.0.1, api.cryptoquant.com, api.linear.app, api.openai.com, api.search.brave.com, api.tavily.com, api.telegram.org, auth.openai.com, chatgpt.com, github.com, html.duckduckgo.com, linear.app, mcp.linear.app, openrouter.ai, registry.npmjs.org, telemetry.intrect.io

Source & flagged code

7 flagged · loading source
dist/verify/runner.jsView file
1import { spawn } from 'node:child_process'; L2: import { createHash } from 'node:crypto';
High
Child Process

Package source references child process execution.

dist/verify/runner.jsView on unpkg · L1
dist/adapters/tools.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @intrect/openswarm@0.17.1 matchedIdentity = npm:QGludHJlY3Qvb3BlbnN3YXJt:0.17.1 similarity = 0.483 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/adapters/tools.jsView on unpkg
17* The daemon's launchd PATH is minimal (/usr/bin:/bin:/opt/homebrew/bin, no L18: * ~/.cargo/bin or ~/.local/bin), and the `bash` tool runs non-login (`bash -c`), L19: * so it never sources the user's shell profile. Result: `cargo`/`uv`/`pyenv`
High
Shell

Package source references shell execution.

dist/adapters/tools.jsView on unpkg · L17
dist/registry/bsDetector.jsView file
118category: 'security', L119: message: 'eval() 사용 — 코드 인젝션 위험', L120: pattern: /\beval\s*\(/,
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/registry/bsDetector.jsView on unpkg · L118
dist/cli/doctorHandler.jsView file
50try { L51: await import(mod); L52: line('ok', `native: ${mod}`, 'loads');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/doctorHandler.jsView on unpkg · L50
dist/cli/daemon.jsView file
5// `openswarm start` spawns a detached child that runs the full service (index.js L6: // → startService), redirects stdout/stderr to a log file, writes a PID file, L7: // and exits the parent. `openswarm stop` reads the PID file and sends SIGTERM. L8: // `openswarm status` reports running/stopped plus port 3847 health. L9: import { spawn } from 'node:child_process'; L10: import { closeSync, existsSync, mkdirSync, openSync, readFileSync, unlinkSync, writeFileSync, statSync } from 'node:fs'; ... L13: import { fileURLToPath } from 'node:url'; L14: const STATE_DIR = join(homedir(), '.config', 'openswarm'); L15: const LOG_DIR = join(STATE_DIR, 'logs'); ... L50: try { L51: const res = await fetch(`http://127.0.0.1:${port}/api/stats`, { L52: signal: AbortSignal.timeout(timeoutMs),
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/daemon.jsView on unpkg · L5
dist/support/updateNotifier.jsView file
119} L120: /** `npm install -g <pkg>@latest`. Returns true on success. (INT-2394) */ L121: function defaultInstall(pkg) { L122: try { L123: execFileSync('npm', ['install', '-g', `${pkg}@latest`], { stdio: 'inherit', timeout: 180_000 }); L124: return true;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/support/updateNotifier.jsView on unpkg · L119

Findings

1 Critical3 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/adapters/tools.js
HighChild Processdist/verify/runner.js
HighShelldist/adapters/tools.js
HighRuntime Package Installdist/support/updateNotifier.js
MediumDynamic Requiredist/cli/doctorHandler.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/daemon.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/registry/bsDetector.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings