registry  /  @mewbleh/nori  /  0.3.0

@mewbleh/nori@0.3.0

Headless, multi-channel personal AI agent

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
An operator enables the relevant tool and approves a shell request, or explicitly runs `nori daemon install`.
Impact
Approved commands can affect the user account and configured workspace; service setup can create user-level persistence.
Mechanism
Approval-gated arbitrary shell execution and explicit per-user service setup.
Rationale
Source inspection disproves the scanner's claimed remote decode-and-execute and automatic exfiltration behavior. The package remains warning-worthy because it provides a real, high-impact AI-agent shell capability and user-level persistence functions.
Evidence
package.jsondist/index.jsREADME.md
Network endpoints1
registry.npmjs.org

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` exposes an opt-in shell tool that runs `/bin/sh -lc` (or `cmd.exe`) in the configured workspace.
  • The shell tool can execute arbitrary commands once an operator approves the generated approval request.
  • `dist/index.js` provides explicit CLI commands to install a per-user Nori gateway service on systemd, launchd, or Task Scheduler.
  • `dist/index.js` can install user-selected plugins with npm, though it passes `--ignore-scripts`.
Evidence against
  • `package.json` contains no `preinstall`, `install`, `postinstall`, or other lifecycle script.
  • Entrypoint execution is guarded by `isMainModule()`, so importing `dist/index.js` does not start the CLI.
  • No `eval`, `Function`, VM execution, remote payload decoding, or remote code-loading primitive was found in `dist/index.js`.
  • Network calls are provider/channel functionality and an explicit update check to npm; no source path sends environment data or command output to an unrelated endpoint.
  • Filesystem state and service files are created only through explicit CLI/setup/daemon actions, not package installation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 821 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.cerebras.ai, api.deepinfra.com, api.deepseek.com, api.featherless.ai, api.fireworks.ai, api.groq.com, api.mistral.ai, api.openai.com, api.telegram.org, api.together.xyz, api.venice.ai, api.x.ai, auth.openai.com, chatgpt.com, discord.com, example.com, github.com, integrate.api.nvidia.com, openrouter.ai, registry.npmjs.org, router.huggingface.co, www.apple.com

Source & flagged code

7 flagged · loading source
dist/index.jsView file
67"use strict"; L68: var debug = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : () ... L69: }; ... L1962: // apps/cli/src/index.ts L1963: import { execFile as execFile7 } from "child_process"; L1964: import fs15 from "fs/promises"; ... L1966: import path19 from "path"; L1967: import { stdin as input, stdout as output } from "process"; L1968: import { pathToFileURL as pathToFileURL2 } from "url"; ... L1980: // packages/persistence/dist/index.js L1981: import { createCipheriv, createDecipheriv, createHash, randomBytes, randomUUID, timingSafeEqual } from "crypto"; L1982: import fs from "fs";
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L67
67"use strict"; L68: var debug = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : () ... L69: }; ... L1962: // apps/cli/src/index.ts L1963: import { execFile as execFile7 } from "child_process"; L1964: import fs15 from "fs/promises"; ... L1966: import path19 from "path"; L1967: import { stdin as input, stdout as output } from "process"; L1968: import { pathToFileURL as pathToFileURL2 } from "url"; ... L1980: // packages/persistence/dist/index.js L1981: import { createCipheriv, createDecipheriv, createHash, randomBytes, randomUUID, timingSafeEqual } from "crypto"; L1982: import fs from "fs";
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/index.jsView on unpkg · L67
67"use strict"; L68: var debug = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : () ... L69: }; ... L1962: // apps/cli/src/index.ts L1963: import { execFile as execFile7 } from "child_process"; L1964: import fs15 from "fs/promises"; ... L1966: import path19 from "path"; L1967: import { stdin as input, stdout as output } from "process"; L1968: import { pathToFileURL as pathToFileURL2 } from "url"; ... L1980: // packages/persistence/dist/index.js L1981: import { createCipheriv, createDecipheriv, createHash, randomBytes, randomUUID, timingSafeEqual } from "crypto"; L1982: import fs from "fs";
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/index.jsView on unpkg · L67
67Trigger-reachable chain: manifest.main -> dist/index.js L67: "use strict"; L68: var debug = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : () ... L69: }; ... L1962: // apps/cli/src/index.ts L1963: import { execFile as execFile7 } from "child_process"; L1964: import fs15 from "fs/promises"; ... L1966: import path19 from "path"; L1967: import { stdin as input, stdout as output } from "process"; L1968: import { pathToFileURL as pathToFileURL2 } from "url"; ... L1980: // packages/persistence/dist/index.js L1981: import { createCipheriv, createDecipheriv, createHash, randomBytes, randomUUID, timingSafeEqual } from "crypto"; L1982: import fs from "fs";
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L67
1962// apps/cli/src/index.ts L1963: import { execFile as execFile7 } from "child_process"; L1964: import fs15 from "fs/promises";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1962
4916throw new Error("Shell command is required"); L4917: const shell = process.platform === "win32" ? process.env.ComSpec ?? "cmd.exe" : "/bin/sh"; L4918: const args = process.platform === "win32" ? ["/d", "/s", "/c", command] : ["-lc", command];
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L4916
67"use strict"; L68: var debug = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : () ... L69: }; ... L1962: // apps/cli/src/index.ts L1963: import { execFile as execFile7 } from "child_process"; L1964: import fs15 from "fs/promises"; ... L1966: import path19 from "path"; L1967: import { stdin as input, stdout as output } from "process"; L1968: import { pathToFileURL as pathToFileURL2 } from "url"; ... L1980: // packages/persistence/dist/index.js L1981: import { createCipheriv, createDecipheriv, createHash, randomBytes, randomUUID, timingSafeEqual } from "crypto"; L1982: import fs from "fs";
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L67

Findings

4 Critical2 High4 Medium3 Low
CriticalCredential Exfiltrationdist/index.js
CriticalCommand Output Exfiltrationdist/index.js
CriticalRemote Asset Decode Executedist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings