registry  /  @kairyou/agent-tools  /  0.1.0

@kairyou/agent-tools@0.1.0

Skills and runtime integrations for Codex, Claude Code, and opencode.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs `agent-tools statusline` or `agent-tools usage` with a selected agent; installed hooks/statusline then run during agent use.
Impact
A configured gateway receives its own bearer credential; a hostile gateway can supply JavaScript evaluated in the VM challenge parser.
Mechanism
Explicit agent-config mutation plus configured provider-usage API requests.
Rationale
No lifecycle hook or concrete malicious exfiltration/persistence chain was found. However, explicit AI-agent integration setup combined with bearer-token network requests and response-derived VM execution warrants a warning.
Evidence
package.jsonscripts/install.mjslib/usage.mjshooks/codex/usage-hook.mjsstatusline/claude/statusline.mjsplugins/opencode/usage-plugin.mjs~/.agent-tools/~/.claude/settings.json~/.codex/hooks.json~/.config/opencode/plugins/agent-tools-usage.js~/.config/opencode/tui.json~/.codex/auth.json~/.codex/config.toml

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `lib/usage.mjs` sends configured provider API keys as Bearer auth to a non-official configured base URL.
  • `lib/usage.mjs` executes anti-bot JavaScript fragments from a gateway response with `node:vm`.
  • `scripts/install.mjs` can add persistent Claude, Codex, and OpenCode integrations.
Evidence against
  • `package.json` has no npm lifecycle scripts; installation changes require explicit `agent-tools` CLI use.
  • Network targets derive from user/provider configuration and implement documented usage/quota queries.
  • No hard-coded third-party exfiltration host, payload download, credential-file upload, or destructive action was found.
  • Codex hook setup is explicitly disclosed and requires user approval in Codex.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 78.2 KB of source, external domains: api.anthropic.com, api.openai.com

Source & flagged code

3 flagged · loading source
statusline/claude/statusline.mjsView file
12L13: import { execFileSync, spawn } from "node:child_process"; L14: import fs from "node:fs";
High
Child Process

Package source references child process execution.

statusline/claude/statusline.mjsView on unpkg · L12
12Cross-file remote execution chain: statusline/claude/statusline.mjs spawns lib/usage.mjs; helper contains network access plus dynamic code execution. L12: L13: import { execFileSync, spawn } from "node:child_process"; L14: import fs from "node:fs"; ... L18: const SCRIPT_DIR = dirname(fileURLToPath(import.meta.url)); L19: const AGENT_TOOLS_HOME = process.env.AGENT_TOOLS_HOME || join(SCRIPT_DIR, "..", ".."); L20: const DEFAULT_CONFIG_FILE = join(AGENT_TOOLS_HOME, "config.jsonc"); ... L56: for await (const chunk of process.stdin) chunks.push(chunk); L57: return Buffer.concat(chunks).toString("utf8"); L58: } ... L213: function renderField(field, data, config) { L214: const dir = data?.workspace?.current_dir || data?.cwd || process.cwd() || ""; L215: const projectDir = data?.workspace?.project_dir || dir;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

statusline/claude/statusline.mjsView on unpkg · L12
lib/usage.mjsView file
12L13: const CODEX_HOME = process.env.CODEX_HOME || join(homedir(), ".codex"); L14: const AGENT_TOOLS_HOME = process.env.AGENT_TOOLS_HOME || join(homedir(), ".agent-tools"); ... L66: if (message) payload.systemMessage = message; L67: process.stdout.write(`${JSON.stringify(payload)}\n`); L68: } ... L196: async function readJson(path) { L197: return JSON.parse(await readFile(path, "utf8")); L198: } ... L314: return [ L315: "https://api.openai.com", L316: "https://api.openai.com/v1",
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

lib/usage.mjsView on unpkg · L12

Findings

3 High3 Medium4 Low
HighChild Processstatusline/claude/statusline.mjs
HighShell
HighCross File Remote Execution Contextstatusline/claude/statusline.mjs
MediumUnsafe Vm Contextlib/usage.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings