registry  /  @jami-studio/dispatch  /  0.14.7

@jami-studio/dispatch@0.14.7

Dispatch — workspace control plane for agent-native apps. Vault, integrations, destinations, scheduled jobs, and cross-app delegation, shipped as a single drop-in package.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Runtime server import registers Dispatch actions. Authenticated Dispatch users or linked Telegram identities can invoke a remote code-agent relay, and workspace-resource actions can publish all-scope agent resources through the package's resource store. No install-time execution or confirmed covert payload chain is present.

Static reason
No blocking static signals were detected.
Trigger
Consumer imports `@jami-studio/dispatch/server`, then an authenticated user or linked Telegram identity invokes registered actions.
Impact
Can create or relay code-agent work and materialize workspace-wide agent instructions; this is an explicit product capability rather than covert package compromise.
Mechanism
Package-owned agent control-plane actions, guarded by application identity and approval/resource flows.
Rationale
The package is not malicious by source evidence, but it intentionally provides high-impact agent and workspace-resource control capabilities at runtime. Flag as warn so consumers assess authentication, relay configuration, and approval policy.
Evidence
package.jsonsrc/server/index.tssrc/actions/send-code-agent-remote-command.tssrc/server/lib/dispatch-remote-commands.tssrc/server/lib/workspace-resources-store.tssrc/server/lib/dispatch-integrations.tssrc/server/lib/vault-store.tssrc/server/lib/dispatch-store.tssrc/actions/create-pylon-ticket.tssrc/actions/view-screen.ts
Network endpoints4
api.sendgrid.com/v3/mail/sendslack.com/api/users.infoslack.com/api/conversations.infoapi.usepylon.com/issues

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/server/index.ts` registers package actions on server import.
  • `src/server/lib/workspace-resources-store.ts` materializes all-scope skills/instructions/agents into the workspace resource store.
  • `src/actions/send-code-agent-remote-command.ts` sends authenticated user commands to a remote code-agent relay.
  • `src/server/lib/dispatch-remote-commands.ts` accepts linked Telegram `/code` commands and relays create/continue/approve/stop requests.
Evidence against
  • `package.json` has only `prepack` and `prepublishOnly`; no install-time lifecycle hook.
  • No package source use of `child_process`, shell execution, `eval`, or native/binary loading was found.
  • Remote-code action requires `getRequestUserEmail()`; Telegram flow resolves a linked owner.
  • Outbound requests are integration functions for Slack, SendGrid, Pylon, and the configured application relay; no hidden exfiltration endpoint found.
  • No `.claude`, `.cursor`, `.codex`, git-hook, or broad filesystem mutation code was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 489 file(s), 2.43 MB of source, external domains: 127.0.0.1, agent-native.invalid, analytics.example.test, analytics.jami.studio, api.example.com, api.example.test, api.sendgrid.com, api.usepylon.com, app.example.com, assets.jami.studio, attacker.example.test, brain.jami.studio, builder.io, calendar.jami.studio, cdn.example.com, dispatch.agent-native.test, dispatch.jami.studio, esm.sh, example.com, forms.example.com, mail.jami.studio, slack.com, slides.example.test, todo.example.com, workspace.example.test

Source & flagged code

1 flagged · loading source
dist/actions/view-screen.jsView file
19const modulePath = `./${name}.js`; L20: const module = (await import(/* @vite-ignore */ modulePath)); L21: if (!module.default)
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/actions/view-screen.jsView on unpkg · L19

Findings

4 Medium5 Low
MediumDynamic Requiredist/actions/view-screen.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings