registry  /  @livx.cc/agentx  /  0.99.4

@livx.cc/agentx@0.99.4

Edge-native AI agent runtime — drives a virtual filesystem via any LLM (ai.libx.js). Same bytes run in node, browser, or edge.

AI Security Review

scanned 6d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is an AI agent CLI/runtime with powerful user-invoked shell, web, MCP, memory, session, and scheduling features, but inspection did not find unconsented install-time mutation or exfiltration.

Static reason
No blocking static signals were detected.
Trigger
User runs agentx CLI or imports exported runtime APIs
Impact
Can read/write project state and run commands when used as an agent, subject to CLI trust/permission modes; no hidden install-time attack found.
Mechanism
User-invoked agent runtime capabilities
Rationale
Source inspection shows a high-capability agent tool, but the risky behaviors are aligned with explicit CLI/runtime functionality and no unconsented install-time agent control-surface mutation, credential theft, destructive action, or remote payload execution was found. The prepare hook is limited to repository git hook configuration and is not a publish-blocking install hook under the stated policy.
Evidence
package.jsondist/cli.jsdist/index.jsdist/tools.shell.jsdist/mcp.client.jsREADME.md.agent/sessions~/.agent/sessions.agent/settings.json.agent/permissions.json~/.agent/trusted.json~/.agent/sched~/Library/LaunchAgents/cc.livx.agentx.sched-*.plist.agent/mcp-auth.json
Network endpoints6
registry.npmjs.org/@livx.cc/agentx/latestapi.tavily.com/searchapi.firecrawl.dev/v1/searchapi.anthropic.com/v1/messageshtml.duckduckgo.com/html/bodify.bod.ee/api/apps/

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • package.json has prepare hook: git config core.hooksPath .githooks
  • dist/cli.js can create OS scheduled jobs under ~/.agent/sched and LaunchAgents/crontab
  • dist/tools.shell.js exposes user-invoked /bin/sh Shell tool
  • dist/mcp.client.js can spawn configured MCP stdio commands
Evidence against
  • No preinstall/install/postinstall script in package.json
  • prepare hook is VCS/dev-time git hook setup, not npm install-time broad agent hijack
  • dist/cli.js main only runs on bin invocation; import side effects are definitions/exports
  • CLI prompts for directory trust unless --yes before file-editing workflow
  • Shell, MCP, scheduling, web, and memory writes are documented agent features activated by CLI/config/user commands
  • Secret handling redacts shell output/env and denies common secret paths in jail defaults
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsObfuscatedUrlStrings
Manifest
WildcardDependency
scanned 4 file(s), 945 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.firecrawl.dev, api.tavily.com, bodify.bod.ee, github.com, html.duckduckgo.com, registry.npmjs.org

Source & flagged code

3 flagged · loading source
dist/index.jsView file
4183if (!/^[A-Za-z_]\w{0,39}$/.test(spec.name)) throw new Error(`invalid tool name '${spec.name}'`); L4184: const fn = new Function("args", "ctx", `"use strict"; return (async (args, ctx) => { ${spec.code} })(args, ctx);`); L4185: return {
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/index.jsView on unpkg · L4183
dist/cli.jsView file
507try { L508: _dnsLookup = (await import("dns/promises")).lookup; L509: } catch {
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli.jsView on unpkg · L507
22CONFIG_FILE_RE = /(^|\/)\.(agent|claude)\/(settings(\.[\w-]+)?\.json|config\.(json|js|mjs|cjs|ts))$/i; L23: SECRET_PAIR = /((?:^|[\s,{[])(?:export\s+)?["']?[\w.\-]*(?:KEY|TOKEN|SECRET|PASSWORD|PASSWD|CREDENTIAL|PRIVATE_KEY|ACCESS_?KEY|AUTH(?:_?TOKEN)?|BEARER)[\w.\-]*["']?\s*[:=]\s*)(["']... L24: SECRET_TOKEN = /\b(sk-ant-[\w-]{12,}|sk-[A-Za-z0-9]{20,}|ghp_[A-Za-z0-9]{20,}|gho_[A-Za-z0-9]{20,}|github_pat_[\w]{20,}|xox[baprs]-[\w-]{10,}|AKIA[0-9A-Z]{12,}|AIza[\w-]{20,}|eyJ[\... ... L522: if (!reader) { L523: const t = await res.text(); L524: return t.length > maxBytes ? t.slice(0, maxBytes) : t; ... L591: if (blocked) return `Error: refusing to fetch a private/internal address (${blocked}) \u2014 set allowPrivateHosts to override`; L592: res = await doFetch(current, { signal: ctl.signal, redirect: "manual", headers: { "user-agent": "agentx (+https://github.com/Livshitz/agentx)" } }); L593: if (res.status >= 300 && res.status < 400 && res.headers.get("location")) { ... L652: headers: { authorization: `Bearer ${opts.key}`, "content-type": "application/json" }, L653: body: JSON.stringify({ query: q2, limit: opts.maxResults }) L654: });
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L22

Findings

6 Medium7 Low
MediumDynamic Requiredist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings