registry  /  @kraki/tentacle  /  0.28.3

@kraki/tentacle@0.28.3

Kraki agent bridge — the arm that connects your coding agent to the head

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package is a user-invoked remote coding-agent bridge with daemon persistence, relay connectivity, token-based auth, and local Copilot/Claude adapter control. This is a dangerous dual-use/agent lifecycle surface, but inspection did not confirm malicious install-time or covert behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs kraki setup/start/connect/update or starts the daemon.
Impact
Remote paired clients can drive local coding-agent sessions through the Kraki relay after setup; local daemon persists until stopped.
Mechanism
CLI-managed remote agent bridge with background daemon and relay auth
Rationale
Static inspection shows a high-risk remote agent bridge with explicit daemon/update/setup behavior, but not concrete malicious behavior under the firewall boundary. Because the capability can materially affect local AI-agent control and persists as a daemon, warn rather than block.
Evidence
package.jsondist/cli.jsdist/setup.jsdist/daemon.jsdist/daemon-worker.jsdist/update.jsdist/relay-client.jsdist/adapters/copilot.jsdist/adapters/claude.jsdist/checks.js~/.kraki/config.json~/.kraki/channel.key~/.kraki/github-token~/Library/LaunchAgents/cloud.corelli.kraki*.plist~/.claude/settings.json~/.copilot/mcp-config.json~/.copilot/session-state~/.kraki/copilot-config
Network endpoints7
wss://relay.kraki.chatrelay.kraki.chatapp.kraki.chatgithub.com/login/device/codegithub.com/login/oauth/access_tokenapi.github.com/userapi.github.com/repos/corelli18512/kraki/releases

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/daemon.js writes and loads a macOS LaunchAgents plist for background daemon persistence when started.
  • dist/daemon-worker.js connects a local coding-agent adapter to a remote relay and authenticates with GitHub/channel tokens.
  • dist/setup.js and dist/cli.js read gh auth tokens or saved device-flow tokens for relay login and pairing.
  • dist/adapters/copilot.js and dist/adapters/claude.js wire Copilot/Claude sessions and MCP servers, enabling remote agent operation.
  • dist/update.js can self-update via npm or GitHub release assets when the user runs update.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Main dist/index.js only exports library APIs; daemon/setup behavior is CLI/runtime invoked.
  • Network hosts are package-aligned: relay.kraki.chat, app.kraki.chat, GitHub OAuth/API, and package GitHub releases.
  • Agent config mutations are scoped to Kraki shadow/session directories or explicit setup inputs, not silent install-time hijacking.
  • No evidence of obfuscated payloads, stealth exfiltration, destructive actions, or unconsented npm install-time control-surface mutation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 37 file(s), 617 KB of source, external domains: 127.0.0.1, api.github.com, app.kraki.chat, docs.anthropic.com, github.com, relay.kraki.chat, www.apple.com

Source & flagged code

7 flagged · loading source
dist/checks.jsView file
6*/ L7: import { execSync } from 'node:child_process'; L8: import { constants as fsConstants, promises as fsp, appendFileSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/checks.jsView on unpkg · L6
20* where even `%SystemRoot%\System32` is absent. Tools that spawn L21: * `powershell.exe` / `pwsh.exe` / `where` / `cmd` by short name then L22: * fail with ENOENT — notably the GitHub Copilot SDK, whose PowerShell
High
Shell

Package source references shell execution.

dist/checks.jsView on unpkg · L20
dist/daemon.jsView file
7* On macOS, downloaded SEA binaries carry com.apple.provenance which L8: * cannot be removed. macOS 26+ CSM 2 blocks direct fork()+execve() of L9: * such binaries from child processes. To bypass this, macOS SEA builds L10: * use launchctl to have launchd spawn the daemon in a completely L11: * independent context. If launchctl also fails, the caller falls back ... L36: const home = getKrakiHome(); L37: const defaultHome = join(homedir(), '.kraki'); L38: if (resolve(home) === resolve(defaultHome)) ... L67: if (seaMode) { L68: const { COPILOT_SDK_AUTH_TOKEN: _, COPILOT_AGENT_SESSION_ID: _2, COPILOT_CLI: _3, GITHUB_TOKEN: seaInheritedGhToken, ...seaCleanEnv } = process.env; L69: if (seaInheritedGhToken && !seaInheritedGhToken.startsWith('gho_')) { ... L276: // context that isn't blocked by CSM provenance tracking.
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/daemon.jsView on unpkg · L7
dist/update.jsView file
9*/ L10: import { execSync } from 'node:child_process'; L11: import { existsSync, readFileSync, writeFileSync, mkdirSync, createWriteStream, unlinkSync, chmodSync, renameSync, copyFileSync, realpathSync, rmSync, symlinkSync } from 'node:fs'; ... L13: import { tmpdir, platform } from 'node:os'; L14: import { request as httpRequest } from 'node:http'; L15: import { request as httpsRequest } from 'node:https'; ... L44: } L45: export function shouldBypassProxy(hostname, noProxyRaw = process.env.NO_PROXY ?? process.env.no_proxy ?? '') { L46: if (!noProxyRaw) ... L85: const pass = decodeURIComponent(proxyUrl.password); L86: return `Basic ${Buffer.from(`${user}:${pass}`).toString('base64')}`; L87: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/update.jsView on unpkg · L9
4* Supports two install methods: L5: * - npm global: runs `npm i -g @kraki/tentacle@latest` L6: * - SEA binary: downloads latest release binary from GitHub ... L9: */ L10: import { execSync } from 'node:child_process'; L11: import { existsSync, readFileSync, writeFileSync, mkdirSync, createWriteStream, unlinkSync, chmodSync, renameSync, copyFileSync, realpathSync, rmSync, symlinkSync } from 'node:fs';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/update.jsView on unpkg · L4
dist/adapters/copilot.jsView file
266package = @kraki/tentacle; repositoryIdentity = kraki; dependency = @github/copilot-sdk L266: try { L267: return await import('@github/copilot-sdk'); L268: }
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/adapters/copilot.jsView on unpkg · L266
dist/adapters/pi.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @kraki/tentacle@0.28.1 matchedIdentity = npm:QGtyYWtpL3RlbnRhY2xl:0.28.1 similarity = 0.889 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/adapters/pi.jsView on unpkg

Findings

1 Critical5 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/adapters/pi.js
HighChild Processdist/checks.js
HighShelldist/checks.js
HighSandbox Evasion Gated Capabilitydist/update.js
HighCopied Package Dependency Bridgedist/adapters/copilot.js
HighRuntime Package Installdist/update.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/daemon.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License