registry  /  @jami-studio/core  /  0.99.0

@jami-studio/core@0.99.0

Framework for agent-native application development — where AI agents and UI share SQL state, actions, and context

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `agent-native recap setup` or opts into `--with-github-action`.
Impact
Can add CI automation with access to user-configured credentials and repository PR-comment permissions.
Mechanism
Explicit GitHub Actions agent-workflow installation
Rationale
Source does not support the scanner's malicious/exfiltration conclusion, but it does expose an explicit user-command path that installs credentialed AI-agent CI automation. Per policy, this warrants a warning rather than a block.
Evidence
package.jsonbin/agent-native.jscorpus/core/src/cli/recap.tscorpus/core/src/cli/pr-visual-recap-workflow.tsdist/cli/pr-visual-recap-workflow.jsdist/coding-tools/index.jsdist/server/prompts/framework-core.js.github/workflows/pr-visual-recap.yml
Network endpoints2
api.github.complan.jami.studio

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `corpus/core/src/cli/recap.ts` explicitly writes `.github/workflows/pr-visual-recap.yml` on `recap setup`.
  • Bundled workflow invokes coding agents and uses configured GitHub/LLM/plan-service credentials.
  • `dist/coding-tools/index.js` runs caller-supplied commands with `shell: true`.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` hook; only publish-time scripts.
  • Workflow installation requires an explicit CLI setup action and refuses differing files unless `--force` is supplied.
  • Workflow source uses `pull_request`, comments that fork code must not see secrets, and passes only secret-presence signals to its gate.
  • The reported `eval` is a security-guidance string in `dist/server/prompts/framework-core.js`, not code evaluation.
  • No confirmed credential exfiltration or covert remote-payload execution was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5,017 file(s), 50.0 MB of source, external domains: 127.0.0.1, accounts.google.com, agent-native-artifact.invalid, agent-native.com, agent-native.invalid, agent-native.local, aistudio.google.com, amplitude.com, an.invalid, analytics.example.com, analytics.google.com, analytics.jami.studio, analytics.local, analyticsdata.googleapis.com, api.anthropic.com, api.apollo.io, api.botframework.com, api.brandfetch.io, api.builder.io, api.clay.com, api.commonroom.io, api.dataforseo.com, api.exa.ai, api.example.com, api.figma.com, api.firecrawl.dev, api.github.com, api.gong.io, api.groq.com, api.hubapi.com, api.logo.dev, api.mixpanel.com, api.notion.com, api.openai.com, api.resend.com, api.search.brave.com, api.sendgrid.com, api.slack.com, api.stripe.com, api.tavily.com, api.telegram.org, api.twitterapi.io, api.usepylon.com, api.zoom.us, api2.amplitude.com, apis.google.com, apolloio.github.io, app.amplitude.com, app.apollo.io, app.dataforseo.com

Source & flagged code

32 flagged · loading source
dist/server/onboarding-html.jsView file
69patternName = generic_password severity = medium line = 69 matchedText = password...rd",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/server/onboarding-html.jsView on unpkg · L69
329patternName = generic_password severity = medium line = 329 matchedText = password...ña",
Medium
Secret Pattern

Hardcoded password in dist/server/onboarding-html.js

dist/server/onboarding-html.jsView on unpkg · L329
415patternName = generic_password severity = medium line = 415 matchedText = password...se",
Medium
Secret Pattern

Hardcoded password in dist/server/onboarding-html.js

dist/server/onboarding-html.jsView on unpkg · L415
501patternName = generic_password severity = medium line = 501 matchedText = password...rt",
Medium
Secret Pattern

Hardcoded password in dist/server/onboarding-html.js

dist/server/onboarding-html.jsView on unpkg · L501
931patternName = generic_password severity = medium line = 931 matchedText = password...ور",
Medium
Secret Pattern

Hardcoded password in dist/server/onboarding-html.js

dist/server/onboarding-html.jsView on unpkg · L931
bin/agent-native.jsView file
2L3: import { spawn } from "node:child_process"; L4: import { existsSync, statSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/agent-native.jsView on unpkg · L2
34if (!shouldUseSourceFallback() && existsSync(distEntry)) { L35: await import(pathToFileURL(distEntry).href); L36: } else {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/agent-native.jsView on unpkg · L34
dist/coding-tools/index.jsView file
307cwd, L308: shell: true, L309: stdio: ["pipe", "pipe", "pipe"],
High
Shell

Package source references shell execution.

dist/coding-tools/index.jsView on unpkg · L307
dist/server/prompts/framework-core.jsView file
35const securityRule = hasDatabaseWrites L36: ? "7. **Security** — Always use `defineAction` with a Zod `schema:` for input validation. Never construct SQL with string concatenation — use parameterized queries via db-query/db-... L37: : hasDatabaseTools
High
Eval

Package source references dynamic code evaluation.

dist/server/prompts/framework-core.jsView on unpkg · L35
corpus/core/src/cli/migrate.tsView file
16const __filename = fileURLToPath(import.meta.url); L17: const __dirname = path.dirname(__filename); L18: ... L32: "COHERE_API_KEY", L33: "BUILDER_PRIVATE_KEY", L34: ]; ... L86: redirects: Array<Record<string, unknown>>; L87: metadata: Record<string, unknown>; L88: }; ... L592: ` App: ${appDir}`, L593: ` URL: http://localhost:${MIGRATION_DEV_PORT}/`, L594: "",
Low
Weak Crypto

Package source references weak cryptographic algorithms.

corpus/core/src/cli/migrate.tsView on unpkg · L16
dist/terminal/pty-server.jsView file
84} L85: export async function createPtyWebSocketServer(options = {}) { L86: const { appDir = process.cwd(), command: defaultCommand = "claude", port = 0, authCheck, logPrefix = "[terminal]", } = options; ... L90: const resolvedAppDir = path.resolve(appDir); L91: const shell = os.platform() === "win32" ? "cmd.exe" : process.env.SHELL || "/bin/zsh"; L92: const server = createHttpServer((req, res) => {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/terminal/pty-server.jsView on unpkg · L84
dist/cli/pr-visual-recap-workflow.jsView file
1/** Canonical PR Visual Recap workflow bundled by the CLI installer. */ L2: export const PR_VISUAL_RECAP_WORKFLOW_YML = 'name: PR Visual Recap\n\n# Visual code review: a coding agent runs the repo\'s visual-recap skill over the\n# PR diff, publishes a plan... L3: //# sourceMappingURL=pr-visual-recap-workflow.js.map
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/cli/pr-visual-recap-workflow.jsView on unpkg · L1
1Trigger-reachable chain: manifest.exports -> dist/cli/skills.js -> dist/cli/recap.js -> dist/cli/pr-visual-recap-workflow.js L1: /** Canonical PR Visual Recap workflow bundled by the CLI installer. */ L2: export const PR_VISUAL_RECAP_WORKFLOW_YML = 'name: PR Visual Recap\n\n# Visual code review: a coding agent runs the repo\'s visual-recap skill over the\n# PR diff, publishes a plan... L3: //# sourceMappingURL=pr-visual-recap-workflow.js.map
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/pr-visual-recap-workflow.jsView on unpkg · L1
dist/server/design-token-utils.jsView file
3* L4: * Pure functions for parsing Tailwind configs, CSS files, package.json, L5: * documents, and URLs to extract colors, fonts, spacing, border-radius, ... L129: throw new Error("Could not parse GitHub owner/repo from URL. " + L130: 'Expected format: "https://github.com/org/repo", "org/repo", or "git@github.com:org/repo.git"'); L131: } ... L150: try { L151: const body = (await res.json()); L152: if (typeof body.message === "string") ... L164: } L165: return { ok: false, status: res.status, data: null, message }; L166: }
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/server/design-token-utils.jsView on unpkg · L3
dist/cli/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @jami-studio/core@0.92.39 matchedIdentity = npm:QGphbWktc3R1ZGlvL2NvcmU:0.92.39 similarity = 0.575 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/index.jsView on unpkg
1Cross-file remote execution chain: dist/cli/index.js spawns dist/deploy/build.js; helper contains network access plus dynamic code execution. L1: #!/usr/bin/env node L2: import { execSync, spawn } from "child_process"; L3: import fs from "fs"; ... L11: try { L12: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L13: // dist/cli/index.js → ../../package.json L14: const pkg = JSON.parse(fs.readFileSync(path.resolve(__dirname, "../../package.json"), "utf-8")); L15: _version = pkg.version; ... L26: console.error(`agent-native requires Node.js ${REQUIRED_NODE_MAJOR} or newer, but you're on Node ${process.versions.node}.\n` + L27: `Upgrade Node (https://nodejs.org) and re-run. With nvm: \`nvm install ${REQUIRED_NODE_MAJOR}\`.`); L28: process.exit(1); ... L113: }
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli/index.jsView on unpkg · L1
corpus/core/src/server/onboarding-html.tsView file
92patternName = generic_password severity = medium line = 92 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in corpus/core/src/server/onboarding-html.ts

corpus/core/src/server/onboarding-html.tsView on unpkg · L92
366patternName = generic_password severity = medium line = 366 matchedText = password...ña",
Medium
Secret Pattern

Hardcoded password in corpus/core/src/server/onboarding-html.ts

corpus/core/src/server/onboarding-html.tsView on unpkg · L366
463patternName = generic_password severity = medium line = 463 matchedText = password...se",
Medium
Secret Pattern

Hardcoded password in corpus/core/src/server/onboarding-html.ts

corpus/core/src/server/onboarding-html.tsView on unpkg · L463
561patternName = generic_password severity = medium line = 561 matchedText = password...rt",
Medium
Secret Pattern

Hardcoded password in corpus/core/src/server/onboarding-html.ts

corpus/core/src/server/onboarding-html.tsView on unpkg · L561
1036patternName = generic_password severity = medium line = 1036 matchedText = password...ور",
Medium
Secret Pattern

Hardcoded password in corpus/core/src/server/onboarding-html.ts

corpus/core/src/server/onboarding-html.tsView on unpkg · L1036
corpus/templates/clips/app/i18n/fr-FR.tsView file
1407patternName = generic_password severity = medium line = 1407 matchedText = password...se",
Medium
Secret Pattern

Hardcoded password in corpus/templates/clips/app/i18n/fr-FR.ts

corpus/templates/clips/app/i18n/fr-FR.tsView on unpkg · L1407
corpus/templates/clips/app/i18n/ar-SA.tsView file
1383patternName = generic_password severity = medium line = 1383 matchedText = password...ور",
Medium
Secret Pattern

Hardcoded password in corpus/templates/clips/app/i18n/ar-SA.ts

corpus/templates/clips/app/i18n/ar-SA.tsView on unpkg · L1383
corpus/templates/clips/app/i18n/de-DE.tsView file
1412patternName = generic_password severity = medium line = 1412 matchedText = password...rt",
Medium
Secret Pattern

Hardcoded password in corpus/templates/clips/app/i18n/de-DE.ts

corpus/templates/clips/app/i18n/de-DE.tsView on unpkg · L1412
corpus/templates/clips/app/i18n/en-US.tsView file
1373patternName = generic_password severity = medium line = 1373 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in corpus/templates/clips/app/i18n/en-US.ts

corpus/templates/clips/app/i18n/en-US.tsView on unpkg · L1373
corpus/templates/clips/app/i18n/es-ES.tsView file
1405patternName = generic_password severity = medium line = 1405 matchedText = password...ña",
Medium
Secret Pattern

Hardcoded password in corpus/templates/clips/app/i18n/es-ES.ts

corpus/templates/clips/app/i18n/es-ES.tsView on unpkg · L1405
corpus/templates/plan/app/i18n/fr-FR.tsView file
472patternName = generic_password severity = medium line = 472 matchedText = password...se",
Medium
Secret Pattern

Hardcoded password in corpus/templates/plan/app/i18n/fr-FR.ts

corpus/templates/plan/app/i18n/fr-FR.tsView on unpkg · L472
corpus/templates/plan/app/i18n/ar-SA.tsView file
649patternName = generic_password severity = medium line = 649 matchedText = password...ور",
Medium
Secret Pattern

Hardcoded password in corpus/templates/plan/app/i18n/ar-SA.ts

corpus/templates/plan/app/i18n/ar-SA.tsView on unpkg · L649
corpus/templates/plan/app/i18n/de-DE.tsView file
661patternName = generic_password severity = medium line = 661 matchedText = password...rt",
Medium
Secret Pattern

Hardcoded password in corpus/templates/plan/app/i18n/de-DE.ts

corpus/templates/plan/app/i18n/de-DE.tsView on unpkg · L661
corpus/templates/plan/app/i18n/en-US.tsView file
639patternName = generic_password severity = medium line = 639 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in corpus/templates/plan/app/i18n/en-US.ts

corpus/templates/plan/app/i18n/en-US.tsView on unpkg · L639
corpus/templates/plan/app/i18n/es-ES.tsView file
470patternName = generic_password severity = medium line = 470 matchedText = password...ña",
Medium
Secret Pattern

Hardcoded password in corpus/templates/plan/app/i18n/es-ES.ts

corpus/templates/plan/app/i18n/es-ES.tsView on unpkg · L470
corpus/templates/analytics/server/lib/demo-source.tsView file
28patternName = generic_password severity = medium line = 28 matchedText = password...RD",
Medium
Secret Pattern

Hardcoded password in corpus/templates/analytics/server/lib/demo-source.ts

corpus/templates/analytics/server/lib/demo-source.tsView on unpkg · L28

Findings

3 Critical6 High25 Medium7 Low
CriticalCredential Exfiltrationdist/cli/pr-visual-recap-workflow.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/pr-visual-recap-workflow.js
CriticalPrevious Version Dangerous Deltadist/cli/index.js
HighChild Processbin/agent-native.js
HighShelldist/coding-tools/index.js
HighEvaldist/server/prompts/framework-core.js
HighSame File Env Network Executiondist/terminal/pty-server.js
HighCloud Metadata Accessdist/server/design-token-utils.js
HighCross File Remote Execution Contextdist/cli/index.js
MediumSecret Patterndist/server/onboarding-html.js
MediumDynamic Requirebin/agent-native.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/server/onboarding-html.js
MediumSecret Patterndist/server/onboarding-html.js
MediumSecret Patterndist/server/onboarding-html.js
MediumSecret Patterndist/server/onboarding-html.js
MediumSecret Patterncorpus/core/src/server/onboarding-html.ts
MediumSecret Patterncorpus/core/src/server/onboarding-html.ts
MediumSecret Patterncorpus/core/src/server/onboarding-html.ts
MediumSecret Patterncorpus/core/src/server/onboarding-html.ts
MediumSecret Patterncorpus/core/src/server/onboarding-html.ts
MediumSecret Patterncorpus/templates/clips/app/i18n/fr-FR.ts
MediumSecret Patterncorpus/templates/clips/app/i18n/ar-SA.ts
MediumSecret Patterncorpus/templates/clips/app/i18n/de-DE.ts
MediumSecret Patterncorpus/templates/clips/app/i18n/en-US.ts
MediumSecret Patterncorpus/templates/clips/app/i18n/es-ES.ts
MediumSecret Patterncorpus/templates/plan/app/i18n/fr-FR.ts
MediumSecret Patterncorpus/templates/plan/app/i18n/ar-SA.ts
MediumSecret Patterncorpus/templates/plan/app/i18n/de-DE.ts
MediumSecret Patterncorpus/templates/plan/app/i18n/en-US.ts
MediumSecret Patterncorpus/templates/plan/app/i18n/es-ES.ts
MediumSecret Patterncorpus/templates/analytics/server/lib/demo-source.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptocorpus/core/src/cli/migrate.ts
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings