AI Security Review
scanned 2h ago · by lpm-firewall-aiReview flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.
Static reason
No blocking static signals were detected.
Trigger
User runs `kitty`, `kitty agent`, `kitty run`, Telegram service, or an agent turn that invokes its tools.
Impact
A configured or prompt-directed agent can act with the invoking user's local permissions and send requests to configured providers or user-supplied URLs.
Mechanism
User-invoked LLM agent can execute local commands and manipulate project files/network requests.
Rationale
The package is not malicious by source evidence, but it provides broad agentic execution capabilities and defaults/configures third-party provider endpoints. Flag as a warning so policy can account for its high-impact user-invoked behavior without treating its informational postinstall as malicious.
Evidence
package.jsonscripts/postinstall.cjsdist/cli.jsdist/chunk-KV4OVHWG.mjsdist/chunk-UWXNKYFN.mjs.kitty/.env
Network endpoints5
api.openai.com/v1api.deepseek.comcode.ylsagi.com/codexw.ciykj.cnapi.telegram.org
Decision evidence
public snapshotAI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/chunk-KV4OVHWG.mjs` exposes an agent `bash` tool that runs supplied commands through Bash/PowerShell.
- The same chunk registers file read/write/edit, arbitrary HTTP, download, background-process, and worktree tools.
- `dist/cli.js` exposes user-invoked `agent`, `run`, Telegram, and web-service commands.
- Provider presets include third-party AI endpoints and runtime configuration accepts API keys.
Evidence against
- `scripts/postinstall.cjs` only prints installation and setup guidance.
- No lifecycle hook writes files, starts processes, contacts networks, or modifies agent configuration.
- Package execution is gated behind explicit CLI commands; no import-time attack behavior was found.
- No credential harvesting, stealth persistence, remote payload loading, or destructive install-time logic was identified.
Behavioral surface
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
HighEntropyStringsUrlStrings
Oversized source lightweight scan
dist/cli.js10.3 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketDynamicRequireHighEntropyStringsUrlStringsapi.telegram.orgwww.apache.org
Source & flagged code
4 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node scripts/postinstall.cjs
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgdist/chunk-C3MFBHV3.mjsView file
11transport: "standard",
L12: defaultBaseUrl: "https://api.deepseek.com",
L13: requestTimeoutMs: DEFAULT_REQUEST_TIMEOUT_MS,
...
L460: const command = typeof payload?.command === "string" ? payload.command : "command";
L461: const exitCode = typeof payload?.exitCode === "number" ? payload.exitCode : "unknown";
L462: return `bash ${truncate(oneLine2(command), 120)} (exit ${exitCode})`;
...
L499: try {
L500: const parsed = JSON.parse(raw);
L501: return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
Low
Weak Crypto
Package source references weak cryptographic algorithms.
dist/chunk-C3MFBHV3.mjsView on unpkg · L11dist/cli.jsView file
•path = dist/cli.js
kind = oversized_source_file
sizeBytes = 10779849
magicHex = [redacted]
High
Oversized Source File
Package contains source files above the static scanner size ceiling.
dist/cli.jsView on unpkg•path = dist/cli.js
kind = oversized_cli_entrypoint
sizeBytes = 10779849
magicHex = [redacted]
Medium
Oversized Cli Entrypoint
Package contains an oversized executable-looking CLI entrypoint.
dist/cli.jsView on unpkgFindings
2 High5 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighOversized Source Filedist/cli.js
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumOversized Cli Entrypointdist/cli.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/chunk-C3MFBHV3.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings