registry  /  @kraki/tentacle  /  0.28.5

@kraki/tentacle@0.28.5

Kraki agent bridge — the arm that connects your coding agent to the head

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a user-invoked remote coding-agent bridge with expected daemon, relay, updater, and agent-permission plumbing.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs kraki setup/start/update or connects a configured daemon.
Impact
Remote paired clients can steer configured local coding agents according to Kraki modes; no unconsented npm install-time mutation was found.
Mechanism
Package-aligned relay connection and local agent adapter orchestration
Rationale
Static inspection shows dangerous primitives, persistence, credential access, network, and agent control are tied to the documented, user-invoked Kraki bridge/update functionality, with no lifecycle hook or covert install-time hijack. The appropriate firewall action is clean rather than blocking a package-aligned remote agent tool.
Evidence
package.jsonREADME.mddist/cli.jsdist/setup.jsdist/daemon.jsdist/daemon-worker.jsdist/update.jsdist/adapters/pi.jsdist/adapters/pi-kraki-tools.jsdist/adapters/copilot.jsdist/checks.jsdist/config.js
Network endpoints6
wss://relay.kraki.chatrelay.kraki.chatapp.kraki.chatapi.github.comgithub.com/login/device/codegithub.com/login/oauth/access_token

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/daemon.js creates a user launchd agent for daemon persistence when the user starts Kraki on macOS SEA.
  • dist/adapters/pi.js materializes a Pi extension and auto-approves tools in execute/delegate modes as part of remote agent control.
  • dist/adapters/copilot.js creates a shadow Copilot config and empty permissions-config.json under Kraki state to route approvals through Kraki.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; execution is via user-invoked kraki CLI/bin.
  • README.md describes the package as a coding-agent bridge to watch/steer sessions from another device.
  • dist/setup.js and dist/cli.js perform interactive/headless setup before saving relay/auth config or starting the daemon.
  • dist/update.js updater is an explicit kraki update command using GitHub releases/npm, with checksum support for binaries.
  • Credential reads are local and package-aligned: gh auth token, saved GitHub token, or user-provided Anthropic key for configured agents.
  • No source-inspected path shows covert exfiltration, destructive install-time behavior, or remote payload execution outside the declared bridge/update flows.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 37 file(s), 617 KB of source, external domains: 127.0.0.1, api.github.com, app.kraki.chat, docs.anthropic.com, github.com, relay.kraki.chat, www.apple.com

Source & flagged code

7 flagged · loading source
dist/checks.jsView file
6*/ L7: import { execSync } from 'node:child_process'; L8: import { constants as fsConstants, promises as fsp, appendFileSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
High
Child Process

Package source references child process execution.

dist/checks.jsView on unpkg · L6
20* where even `%SystemRoot%\System32` is absent. Tools that spawn L21: * `powershell.exe` / `pwsh.exe` / `where` / `cmd` by short name then L22: * fail with ENOENT — notably the GitHub Copilot SDK, whose PowerShell
High
Shell

Package source references shell execution.

dist/checks.jsView on unpkg · L20
dist/daemon.jsView file
7* On macOS, downloaded SEA binaries carry com.apple.provenance which L8: * cannot be removed. macOS 26+ CSM 2 blocks direct fork()+execve() of L9: * such binaries from child processes. To bypass this, macOS SEA builds L10: * use launchctl to have launchd spawn the daemon in a completely L11: * independent context. If launchctl also fails, the caller falls back ... L36: const home = getKrakiHome(); L37: const defaultHome = join(homedir(), '.kraki'); L38: if (resolve(home) === resolve(defaultHome)) ... L67: if (seaMode) { L68: const { COPILOT_SDK_AUTH_TOKEN: _, COPILOT_AGENT_SESSION_ID: _2, COPILOT_CLI: _3, GITHUB_TOKEN: seaInheritedGhToken, ...seaCleanEnv } = process.env; L69: if (seaInheritedGhToken && !seaInheritedGhToken.startsWith('gho_')) { ... L276: // context that isn't blocked by CSM provenance tracking.
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/daemon.jsView on unpkg · L7
dist/update.jsView file
9*/ L10: import { execSync } from 'node:child_process'; L11: import { existsSync, readFileSync, writeFileSync, mkdirSync, createWriteStream, unlinkSync, chmodSync, renameSync, copyFileSync, realpathSync, rmSync, symlinkSync } from 'node:fs'; ... L13: import { tmpdir, platform } from 'node:os'; L14: import { request as httpRequest } from 'node:http'; L15: import { request as httpsRequest } from 'node:https'; ... L44: } L45: export function shouldBypassProxy(hostname, noProxyRaw = process.env.NO_PROXY ?? process.env.no_proxy ?? '') { L46: if (!noProxyRaw) ... L85: const pass = decodeURIComponent(proxyUrl.password); L86: return `Basic ${Buffer.from(`${user}:${pass}`).toString('base64')}`; L87: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/update.jsView on unpkg · L9
4* Supports two install methods: L5: * - npm global: runs `npm i -g @kraki/tentacle@latest` L6: * - SEA binary: downloads latest release binary from GitHub ... L9: */ L10: import { execSync } from 'node:child_process'; L11: import { existsSync, readFileSync, writeFileSync, mkdirSync, createWriteStream, unlinkSync, chmodSync, renameSync, copyFileSync, realpathSync, rmSync, symlinkSync } from 'node:fs';
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/update.jsView on unpkg · L4
dist/adapters/copilot.jsView file
266package = @kraki/tentacle; repositoryIdentity = kraki; dependency = @github/copilot-sdk L266: try { L267: return await import('@github/copilot-sdk'); L268: }
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/adapters/copilot.jsView on unpkg · L266
dist/adapters/pi.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @kraki/tentacle@0.28.1 matchedIdentity = npm:QGtyYWtpL3RlbnRhY2xl:0.28.1 similarity = 0.889 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/adapters/pi.jsView on unpkg

Findings

1 Critical5 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/adapters/pi.js
HighChild Processdist/checks.js
HighShelldist/checks.js
HighSandbox Evasion Gated Capabilitydist/update.js
HighCopied Package Dependency Bridgedist/adapters/copilot.js
HighRuntime Package Installdist/update.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/daemon.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License