registry  /  @markjaquith/agency  /  2.5.0

@markjaquith/agency@2.5.0

Manage agentic work across repositories with durable workbases

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `agency init` or `agency work`.
Impact
Mutates selected workbase agent-control files; the launched agent then operates under its own permissions.
Mechanism
Explicit workbase agent-config setup and local agent CLI launch.
Rationale
The package is not malicious by source evidence, but it deliberately writes AI-agent configuration files during an explicit setup command. Per firewall policy, this user-command agent config mutation warrants a warning rather than a block.
Evidence
package.jsonsrc/commands/init.tssrc/commands/work.tssrc/services/WorkbaseService.tssrc/workbase/agents-file.tssrc/workbase/opencode-file.ts<workbase>/AGENTS.md<workbase>/.opencode/opencode.jsonc<workbase>/agency.json<workbase>/.gitignore

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/commands/init.ts` invokes workbase initialization on explicit `agency init`.
  • `src/services/WorkbaseService.ts` writes `<workbase>/AGENTS.md` and `<workbase>/.opencode/opencode.jsonc`.
  • `src/commands/work.ts` explicitly launches installed `opencode` or `claude` via `execvp`.
  • `src/utils/exec.ts` loads libc FFI solely to replace the process with the selected CLI.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • Agent files contain bounded workbase instructions/config references, with checksum guards before updates.
  • No fetch/API client, credential harvesting, obfuscated payload, dynamic code loading, or exfiltration path was found.
  • Git/GitHub network actions are explicit repository clone/fetch/push/PR commands.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystem
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 62 file(s), 248 KB of source, external domains: example.com, github.com, opencode.ai

Source & flagged code

4 flagged · loading source
src/commands/init.tsView file
Published source reference
Medium
Ai Review Evidence

`src/commands/init.ts` invokes workbase initialization on explicit `agency init`.

src/commands/init.tsView on unpkg
src/services/WorkbaseService.tsView file
Published source reference
Medium
Ai Review Evidence

`src/services/WorkbaseService.ts` writes `<workbase>/AGENTS.md` and `<workbase>/.opencode/opencode.jsonc`.

src/services/WorkbaseService.tsView on unpkg
src/commands/work.tsView file
Published source reference
Medium
Ai Review Evidence

`src/commands/work.ts` explicitly launches installed `opencode` or `claude` via `execvp`.

src/commands/work.tsView on unpkg
src/utils/exec.tsView file
Published source reference
Medium
Ai Review Evidence

`src/utils/exec.ts` loads libc FFI solely to replace the process with the selected CLI.

src/utils/exec.tsView on unpkg

Findings

5 Medium4 Low
MediumEnvironment Vars
MediumAi Review Evidencesrc/commands/init.ts
MediumAi Review Evidencesrc/services/WorkbaseService.ts
MediumAi Review Evidencesrc/commands/work.ts
MediumAi Review Evidencesrc/utils/exec.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings