registry  /  @kosdev-code/kos-ui-cli  /  3.0.6

@kosdev-code/kos-ui-cli@3.0.6

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface was established. The package is a CLI with explicit MCP setup commands and a confirm-gated KOS device control surface, which is risky but package-aligned and user-invoked.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `kosui mcp install*`, `kosui device-mcp`, or generator commands.
Impact
Can modify workspace MCP/Claude guidance files and, when used, can mutate a connected KOS device or project files under user control.
Mechanism
Explicit MCP/skill installation plus confirm-gated device HTTP operations and project code generation.
Rationale
Source inspection shows risky but explicit, package-aligned MCP setup and device-control features rather than unconsented install-time mutation or malware behavior. This merits a warning for agent extension lifecycle risk, not a publish block.
Evidence
package.jsonsrc/lib/cli.mjssrc/lib/mcp/server.mjssrc/lib/mcp/install-config.mjssrc/lib/mcp/install-skill.mjssrc/lib/mcp/install-guidance.mjssrc/lib/mcp/device/device-client.mjssrc/lib/mcp/device/tools/config-values.mjssrc/lib/mcp/device/tools/service-execute.mjssrc/lib/mcp/backends/exec-kosui.mjs.mcp.json.cursor/mcp.json.claude/skills/<name>AGENTS.md.nx/cli-cache.json
Network endpoints4
registry.npmjs.org/localhost:8081/api/kos/config/api/kos/openapi

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • Explicit `kosui mcp install` can write MCP client config to `.mcp.json` or `.cursor/mcp.json`.
  • Explicit install also copies package-owned skills into `.claude/skills/<name>` and may append KOS guidance to `AGENTS.md`.
  • `kosui device-mcp` exposes live device write tools and arbitrary discovered endpoint execution, gated by `confirm:true`.
  • Child process use exists for CLI/Nx project operations in `src/lib/utils/utils.mjs`, `src/lib/utils/exec.mjs`, and `src/lib/mcp/backends/exec-kosui.mjs`.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle scripts.
  • Agent/MCP config mutation is only under explicit `kosui mcp install*` subcommands, not install-time or import-time.
  • MCP server entries point back to first-party `kosui mcp` and `kosui device-mcp`, not remote payloads.
  • Network access is package-aligned: device MCP uses user/default base URL `http://localhost:8081` and documented KOS device APIs.
  • No credential harvesting, exfiltration endpoint, destructive persistence, obfuscated payload, or remote code download found in inspected sources.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 79 file(s), 809 KB of source, external domains: 127.0.0.1, 192.168.1.100

Source & flagged code

5 flagged · loading source
src/lib/utils/java-home.mjsView file
1import { execSync } from "child_process"; L2: import { platform } from "os";
High
Child Process

Package source references child process execution.

src/lib/utils/java-home.mjsView on unpkg · L1
src/lib/utils/exec.mjsView file
10return new Promise((resolve, reject) => { L11: const child = exec(command, { shell: true }, (error, stdout, stderr) => { L12: if (stdout) process.stdout.write(stdout);
High
Shell

Package source references shell execution.

src/lib/utils/exec.mjsView on unpkg · L10
src/lib/utils/generator-loader.mjsView file
28try { L29: const module = await import(modulePath); L30:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/lib/utils/generator-loader.mjsView on unpkg · L28
src/lib/utils/utils.mjsView file
34return new Promise((resolve, reject) => { L35: exec("npx nx show projects --json", (error, stdout, stderr) => { L36: if (error) {
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

src/lib/utils/utils.mjsView on unpkg · L34
src/lib/mcp/backends/exec-kosui.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @kosdev-code/kos-ui-cli@3.0.5 matchedIdentity = npm:QGtvc2Rldi1jb2RlL2tvcy11aS1jbGk:3.0.5 similarity = 0.696 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/lib/mcp/backends/exec-kosui.mjsView on unpkg

Findings

1 Critical3 High4 Medium4 Low
CriticalPrevious Version Dangerous Deltasrc/lib/mcp/backends/exec-kosui.mjs
HighChild Processsrc/lib/utils/java-home.mjs
HighShellsrc/lib/utils/exec.mjs
HighRuntime Package Installsrc/lib/utils/utils.mjs
MediumDynamic Requiresrc/lib/utils/generator-loader.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License