registry  /  @jinhx128/agentmesh  /  0.1.13

@jinhx128/agentmesh@0.1.13

CLI for orchestrating local AI coding agents through traceable run packets.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `agentmesh skill install`, `agentmesh update install`, or flow/MCP commands.
Impact
A user-requested skill install can influence supported coding-agent behavior in that project; configured commands inherit the user environment.
Mechanism
Explicit AI-agent skill setup and local subprocess orchestration.
Rationale
No concrete malicious behavior was found after source inspection, but the package deliberately mutates AI-agent skill surfaces on an explicit command and orchestrates local agent processes. Flag as warn under the agent-control capability policy rather than block.
Evidence
package.jsonpackages/skills/agentmesh-skill/SKILL.mddist-node/packages/skills/src/verify.jsdist-node/packages/runtime/src/adapters.jsdist-node/packages/runtime/src/cli-management.jsdist-node/packages/runtime/src/update/check.js.agents/skills/agentmesh/SKILL.md.claude/skills/agentmesh/SKILL.md
Network endpoints2
registry.npmjs.org/@jinhx128%2Fagentmesh/latestapi.github.com/repos/jinhx128/agentmesh/releases/latest

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `skill install` explicitly writes AgentMesh skill files into Codex/Claude-compatible project directories.
  • `update install --target cli` can run npm globally when invoked.
  • Configured agent and MCP commands are executed as local subprocesses with inherited environment.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • No eval/vm/Function or dynamic module-loading primitive was found in inspected source.
  • Network use is limited to explicit update/version checks against npm and GitHub.
  • Bundled skill tells agents not to store tokens, cookies, API keys, or session files.
  • No credential harvesting, exfiltration, stealth persistence, or destructive behavior was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
Manifest
NoLicense
scanned 126 file(s), 1.65 MB of source, external domains: api.github.com, github.com, mantine.dev, react.dev, registry.npmjs.org, studio.local, www.w3.org

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

6 Medium6 Low
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumAi Review Evidence
MediumAi Review Evidence
MediumAi Review Evidence
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings
LowNo License