registry  /  @lebtiga/sonic-agent  /  2.0.16

@lebtiga/sonic-agent@2.0.16

Sonic — a specialized AI agent for building WordPress authority websites at scale. Founders cohort license required.

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a licensed thin client that installs a Claude Code plugin, validates a license, and fetches protected skills from the vendor service after user activation or launch.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm postinstall prompt or explicit sonic activate/start/doctor/autopilot commands
Impact
User-provided license/email and machine fingerprint are sent to vendor endpoints; plugin files and protected skills are written under ~/.sonic and project scaffolding under .sonic when invoked.
Mechanism
interactive plugin installer, license validation, remote skill-pack fetch, Claude Code launcher
Rationale
The suspicious primitives are consistent with a commercial Claude Code plugin/CLI: install-time setup is interactive, network traffic is for license validation and protected skill delivery, and file writes are limited to declared Sonic/plugin/project state. I found no hidden lifecycle exfiltration, import-time execution, credential harvesting, persistence outside the product install path, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonscripts/postinstall.jsbin/sonic.jslib/installer.jslib/license.jslib/server-validate.jslib/skillpack.jslib/autopilot.jslib/doctor.jsplugin/agents/sonic.mdplugin/commands/sonic-help.md~/.sonic/sonic-agent~/.sonic/sonic-skills~/.sonic/sonic-user~/.sonic/.license.json~/.sonic/.grant.json~/.sonic/sonic-agent/.skillpack-version.sonic/project.json.sonic/autopilot/run.json.sonic/autopilot/autopilot.log
Network endpoints8
zjvmclbpjjzsmboptwgk.supabase.co/functions/v1/validate-licensezjvmclbpjjzsmboptwgk.supabase.co/functions/v1/fetch-skillpackzjvmclbpjjzsmboptwgk.supabase.co/functions/v1/skillpack-manifestapi.anthropic.comapi.openai.comgenerativelanguage.googleapis.comfal.runapi.pexels.com

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json runs postinstall script
  • scripts/postinstall.js prompts for license/email and writes installer state under ~/.sonic
  • lib/server-validate.js posts license/email/machine metadata to Supabase validate-license endpoint
  • lib/skillpack.js downloads and extracts a remote skill pack into ~/.sonic/sonic-agent after license validation
  • bin/sonic.js can launch Claude with --plugin-dir and optional --dangerously-skip-permissions via user command/env
  • plugin/commands/sonic-help.md references skills excluded from package and supplied by remote pack
Evidence against
  • postinstall is interactive and skips CI/SONIC_SKIP_POSTINSTALL; it does not validate or exfiltrate during install
  • network calls are license/skillpack aligned and triggered by activate/start/doctor, not hidden import-time behavior
  • remote skill pack download checks SHA-256 from server response before extraction
  • installer writes only Sonic-owned ~/.sonic paths and project .sonic init/autopilot files on explicit commands
  • no code found harvesting shell credentials, SSH keys, npm tokens, wallets, or arbitrary user files
  • plugin prompts are domain-aligned WordPress/SEO instructions, not reviewer manipulation or credential theft
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 21 file(s), 134 KB of source, external domains: api.anthropic.com, api.openai.com, api.pexels.com, claude.com, fal.run, generativelanguage.googleapis.com, nodejs.org, sonic.saasperity.com, zjvmclbpjjzsmboptwgk.supabase.co

Source & flagged code

7 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
lib/server-validate.jsView file
24patternName = supabase_service_key severity = critical line = 24 matchedText = 'eyJhbGc...MY';
Critical
Critical Secret

Package contains a critical-looking secret pattern.

lib/server-validate.jsView on unpkg · L24
24patternName = supabase_service_key severity = critical line = 24 matchedText = 'eyJhbGc...MY';
Critical
Secret Pattern

Supabase service role key (JWT) in lib/server-validate.js

lib/server-validate.jsView on unpkg · L24
bin/sonic.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @lebtiga/sonic-agent@2.0.15 matchedIdentity = npm:QGxlYnRpZ2Evc29uaWMtYWdlbnQ:2.0.15 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

bin/sonic.jsView on unpkg
12L13: const fs = require('fs'); L14: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/sonic.jsView on unpkg · L12
lib/doctor.jsView file
12const os = require('node:os'); L13: const https = require('node:https'); L14: const { execSync, spawnSync } = require('node:child_process'); L15: ... L26: L27: const pkg = require('../package.json'); L28: ... L50: function findClaudeBin() { L51: const PATH = process.env.PATH || ''; L52: const sep = process.platform === 'win32' ? ';' : ':'; L53: const ext = process.platform === 'win32' ? ['.exe', '.cmd', ''] : ['']; ... L80: // The #1 support ticket: root-owned npm cache / global dir.
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

lib/doctor.jsView on unpkg · L12

Findings

3 Critical2 High5 Medium4 Low
CriticalCritical Secretlib/server-validate.js
CriticalPrevious Version Dangerous Deltabin/sonic.js
CriticalSecret Patternlib/server-validate.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitylib/doctor.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requirebin/sonic.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings