registry  /  @jun133/kitty  /  0.0.17

@jun133/kitty@0.0.17

Agent

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `kitty`, `kitty agent`, `kitty run`, Telegram service, or an agent turn that invokes its tools.
Impact
A configured or prompt-directed agent can act with the invoking user's local permissions and send requests to configured providers or user-supplied URLs.
Mechanism
User-invoked LLM agent can execute local commands and manipulate project files/network requests.
Rationale
The package is not malicious by source evidence, but it provides broad agentic execution capabilities and defaults/configures third-party provider endpoints. Flag as a warning so policy can account for its high-impact user-invoked behavior without treating its informational postinstall as malicious.
Evidence
package.jsonscripts/postinstall.cjsdist/cli.jsdist/chunk-KV4OVHWG.mjsdist/chunk-UWXNKYFN.mjs.kitty/.env
Network endpoints5
api.openai.com/v1api.deepseek.comcode.ylsagi.com/codexw.ciykj.cnapi.telegram.org

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/chunk-KV4OVHWG.mjs` exposes an agent `bash` tool that runs supplied commands through Bash/PowerShell.
  • The same chunk registers file read/write/edit, arbitrary HTTP, download, background-process, and worktree tools.
  • `dist/cli.js` exposes user-invoked `agent`, `run`, Telegram, and web-service commands.
  • Provider presets include third-party AI endpoints and runtime configuration accepts API keys.
Evidence against
  • `scripts/postinstall.cjs` only prints installation and setup guidance.
  • No lifecycle hook writes files, starts processes, contacts networks, or modifies agent configuration.
  • Package execution is gated behind explicit CLI commands; no import-time attack behavior was found.
  • No credential harvesting, stealth persistence, remote payload loading, or destructive install-time logic was identified.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 852 KB of source, external domains: api.deepseek.com, api.openai.com, api.telegram.org, code.ylsagi.com, w.ciykj.cn, www.apache.org
Oversized source lightweight scan
dist/cli.js10.3 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketDynamicRequireHighEntropyStringsUrlStringsapi.telegram.orgwww.apache.org

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/chunk-C3MFBHV3.mjsView file
11transport: "standard", L12: defaultBaseUrl: "https://api.deepseek.com", L13: requestTimeoutMs: DEFAULT_REQUEST_TIMEOUT_MS, ... L460: const command = typeof payload?.command === "string" ? payload.command : "command"; L461: const exitCode = typeof payload?.exitCode === "number" ? payload.exitCode : "unknown"; L462: return `bash ${truncate(oneLine2(command), 120)} (exit ${exitCode})`; ... L499: try { L500: const parsed = JSON.parse(raw); L501: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/chunk-C3MFBHV3.mjsView on unpkg · L11
dist/cli.jsView file
path = dist/cli.js kind = oversized_source_file sizeBytes = 10779849 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli.jsView on unpkg
path = dist/cli.js kind = oversized_cli_entrypoint sizeBytes = 10779849 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/cli.jsView on unpkg

Findings

2 High5 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighOversized Source Filedist/cli.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/cli.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/chunk-C3MFBHV3.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings