registry  /  @kraki/tentacle  /  0.28.1

@kraki/tentacle@0.28.1

Kraki agent bridge — the arm that connects your coding agent to the head

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an explicit Kraki CLI/daemon that connects local coding agents to a configured relay and manages user-invoked setup, pairing, daemon startup, and updates.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `kraki`, `kraki setup`, `kraki start`, `kraki connect`, or `kraki update`.
Impact
User-approved remote control bridge for coding agents; no unconsented install-time persistence or foreign AI-agent hijack found.
Mechanism
Explicit remote agent bridge with daemon, relay WebSocket, setup, and updater
Rationale
Static inspection shows powerful but package-aligned functionality for an explicit remote coding-agent bridge, with no npm lifecycle hooks and no hidden install-time mutation or exfiltration chain. The scanner's dangerous primitives are explained by CLI setup, daemon management, agent adapter compatibility, and user-invoked updating.
Evidence
package.jsondist/cli.jsdist/daemon-worker.jsdist/daemon.jsdist/setup.jsdist/config.jsdist/checks.jsdist/update.jsdist/adapters/copilot.jsdist/relay-client.js~/.kraki/config.json~/.kraki/github-token~/.kraki/channel.key~/.kraki/daemon.pid~/.kraki/copilot-config/permissions-config.json~/.claude/settings.json
Network endpoints7
wss://relay.kraki.chatrelay.kraki.chatgithub.com/login/device/codegithub.com/login/oauth/access_tokenapi.github.com/userapi.github.com/repos/corelli18512/kraki/releasesapp.kraki.chat

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/daemon-worker.js reads GitHub auth token via `gh auth token` or saved token to authenticate to relay.
  • dist/setup.js and dist/config.js can save GitHub/Anthropic tokens under user config during explicit setup/headless setup.
  • dist/daemon.js writes a macOS LaunchAgents plist and spawns a daemon when user runs the CLI.
  • dist/adapters/copilot.js creates a shadow Copilot config dir and writes empty permissions-config.json.
  • dist/update.js can self-update via npm global install or GitHub release binary when `kraki update` is invoked.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; only bin `kraki` and main entrypoint.
  • Risky behavior is user-command/runtime behavior for a remote coding-agent bridge, not install-time mutation.
  • Network hosts are package-aligned: relay.kraki.chat, app.kraki.chat, api.github.com, github.com repository releases/auth.
  • Copilot permission config write is a package-owned shadow under Kraki home, intended to force permission prompts, not silently alter ~/.copilot permissions.
  • No source evidence of credential exfiltration beyond authenticating/pairing with configured relay; no obfuscated payload or hidden remote code execution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 36 file(s), 610 KB of source, external domains: 127.0.0.1, api.github.com, app.kraki.chat, docs.anthropic.com, github.com, relay.kraki.chat, www.apple.com

Source & flagged code

7 flagged · loading source
dist/checks.jsView file
6*/ L7: import { execSync } from 'node:child_process'; L8: import { constants as fsConstants, promises as fsp, appendFileSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/checks.jsView on unpkg · L6
20* where even `%SystemRoot%\System32` is absent. Tools that spawn L21: * `powershell.exe` / `pwsh.exe` / `where` / `cmd` by short name then L22: * fail with ENOENT — notably the GitHub Copilot SDK, whose PowerShell
High
Shell

Package source references shell execution.

dist/checks.jsView on unpkg · L20
dist/daemon.jsView file
7* On macOS, downloaded SEA binaries carry com.apple.provenance which L8: * cannot be removed. macOS 26+ CSM 2 blocks direct fork()+execve() of L9: * such binaries from child processes. To bypass this, macOS SEA builds L10: * use launchctl to have launchd spawn the daemon in a completely L11: * independent context. If launchctl also fails, the caller falls back ... L36: const home = getKrakiHome(); L37: const defaultHome = join(homedir(), '.kraki'); L38: if (resolve(home) === resolve(defaultHome)) ... L67: if (seaMode) { L68: const { COPILOT_SDK_AUTH_TOKEN: _, COPILOT_AGENT_SESSION_ID: _2, COPILOT_CLI: _3, GITHUB_TOKEN: seaInheritedGhToken, ...seaCleanEnv } = process.env; L69: if (seaInheritedGhToken && !seaInheritedGhToken.startsWith('gho_')) { ... L276: // context that isn't blocked by CSM provenance tracking.
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/daemon.jsView on unpkg · L7
dist/update.jsView file
9*/ L10: import { execSync } from 'node:child_process'; L11: import { existsSync, readFileSync, writeFileSync, mkdirSync, createWriteStream, unlinkSync, chmodSync, renameSync, copyFileSync, realpathSync, rmSync, symlinkSync } from 'node:fs'; ... L13: import { tmpdir, platform } from 'node:os'; L14: import { request as httpRequest } from 'node:http'; L15: import { request as httpsRequest } from 'node:https'; ... L44: } L45: export function shouldBypassProxy(hostname, noProxyRaw = process.env.NO_PROXY ?? process.env.no_proxy ?? '') { L46: if (!noProxyRaw) ... L85: const pass = decodeURIComponent(proxyUrl.password); L86: return `Basic ${Buffer.from(`${user}:${pass}`).toString('base64')}`; L87: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/update.jsView on unpkg · L9
4* Supports two install methods: L5: * - npm global: runs `npm i -g @kraki/tentacle@latest` L6: * - SEA binary: downloads latest release binary from GitHub ... L9: */ L10: import { execSync } from 'node:child_process'; L11: import { existsSync, readFileSync, writeFileSync, mkdirSync, createWriteStream, unlinkSync, chmodSync, renameSync, copyFileSync, realpathSync, rmSync, symlinkSync } from 'node:fs';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/update.jsView on unpkg · L4
dist/adapters/copilot.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @kraki/tentacle@0.25.0 matchedIdentity = npm:QGtyYWtpL3RlbnRhY2xl:0.25.0 similarity = 0.750 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/adapters/copilot.jsView on unpkg
266package = @kraki/tentacle; repositoryIdentity = kraki; dependency = @github/copilot-sdk L266: try { L267: return await import('@github/copilot-sdk'); L268: }
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/adapters/copilot.jsView on unpkg · L266

Findings

1 Critical5 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/adapters/copilot.js
HighChild Processdist/checks.js
HighShelldist/checks.js
HighSandbox Evasion Gated Capabilitydist/update.js
HighCopied Package Dependency Bridgedist/adapters/copilot.js
HighRuntime Package Installdist/update.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/daemon.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License