registry  /  @n1creator/openacp-cli  /  2026.712.2

@n1creator/openacp-cli@2026.712.2

Self-hosted bridge for AI coding agents via ACP protocol

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User installs/configures OpenACP and starts a daemon or enables `openacp autostart`.
Impact
A compromised authorized messaging account or unsafe agent configuration could cause agent actions in the host workspace.
Mechanism
User-configured remote AI-agent orchestration, binary installation, and optional daemon persistence.
Rationale
The scanner's exfiltration claim is not supported by inspected source: network activity is package-aligned update, Telegram, localhost, and configured binary-download functionality. The package remains warning-worthy because it intentionally enables remote AI-agent command capability and optional persistence.
Evidence
package.jsonREADME.mddist/cli.jsdist/index.js~/.openacp/config.json~/Library/LaunchAgents/com.openacp.daemon.<instance>.plist~/.config/systemd/user/openacp-<instance>.service
Network endpoints3
api.telegram.orgregistry.npmjs.org/@n1creator/openacp-cli/latestgithub.com/cloudflare/cloudflared/releases/latest/download

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • README.md documents remote messaging control of coding agents that write code and run commands.
  • dist/cli.js dispatches user-selected agent/server commands and can spawn daemon children.
  • dist/index.js downloads configured agent/cloudflared binaries and extracts them locally.
  • dist/index.js supports explicit user autostart via launchd or systemd user-service files.
Evidence against
  • package.json has no preinstall, install, postinstall, or other lifecycle scripts.
  • No hidden network endpoint or credential-harvesting/exfiltration flow was found in inspected fetch call sites.
  • Telegram requests use the configured bot token solely against api.telegram.org for validation/integration.
  • Process execution uses argument arrays with shell disabled where updater spawning is inspected; archive paths are checked.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 2.65 MB of source, external domains: 127.0.0.1, api.groq.com, api.telegram.org, cdn.agentclientprotocol.com, cdn.jsdelivr.net, docs.openacp.dev, github.com, ngrok.com, openacp.com, openacp.gitbook.io, raw.githubusercontent.com, registry.npmjs.org, t.me, tailscale.com, tunnel-worker.openacp.ai, vitest.dev, www.apple.com

Source & flagged code

7 flagged · loading source
dist/index.jsView file
29function expandHome(p) { L30: return p.startsWith("~") ? path.join(os.homedir(), p.slice(1)) : p; L31: } ... L206: }); L207: transport.end(); L208: }); ... L299: const registryPath = path2.join(os2.homedir(), ".openacp", "instances.json"); L300: const data = JSON.parse(fs2.readFileSync(registryPath, "utf-8")); L301: const instances = data?.instances ?? {}; ... L511: super(); L512: this.configPath = process.env.OPENACP_CONFIG_PATH || configPath || expandHome2("~/.openacp/config.json"); L513: }
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L29
29function expandHome(p) { L30: return p.startsWith("~") ? path.join(os.homedir(), p.slice(1)) : p; L31: } ... L206: }); L207: transport.end(); L208: }); ... L299: const registryPath = path2.join(os2.homedir(), ".openacp", "instances.json"); L300: const data = JSON.parse(fs2.readFileSync(registryPath, "utf-8")); L301: const instances = data?.instances ?? {}; ... L511: super(); L512: this.configPath = process.env.OPENACP_CONFIG_PATH || configPath || expandHome2("~/.openacp/config.json"); L513: }
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/index.jsView on unpkg · L29
29Trigger-reachable chain: manifest.main -> dist/index.js L29: function expandHome(p) { L30: return p.startsWith("~") ? path.join(os.homedir(), p.slice(1)) : p; L31: } ... L206: }); L207: transport.end(); L208: }); ... L299: const registryPath = path2.join(os2.homedir(), ".openacp", "instances.json"); L300: const data = JSON.parse(fs2.readFileSync(registryPath, "utf-8")); L301: const instances = data?.instances ?? {}; ... L511: super(); L512: this.configPath = process.env.OPENACP_CONFIG_PATH || configPath || expandHome2("~/.openacp/config.json"); L513: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L29
968}); L969: import { execFileSync as execFileSync2 } from "child_process"; L970: import * as fs10 from "fs";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L968
12454if (process.platform === "win32" && (ext === ".cmd" || ext === ".bat")) { L12455: return { command: process.env.ComSpec ?? "cmd.exe", args: ["/d", "/s", "/c", `"${filePath}"`] }; L12456: }
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L12454
1469async function extractTarGz(buffer, destDir) { L1470: const { execFileSync: execFileSync8 } = await import("child_process"); L1471: const tmpFile = path10.join(destDir, "_archive.tar.gz");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1469
29function expandHome(p) { L30: return p.startsWith("~") ? path.join(os.homedir(), p.slice(1)) : p; L31: } ... L206: }); L207: transport.end(); L208: }); ... L299: const registryPath = path2.join(os2.homedir(), ".openacp", "instances.json"); L300: const data = JSON.parse(fs2.readFileSync(registryPath, "utf-8")); L301: const instances = data?.instances ?? {}; ... L511: super(); L512: this.configPath = process.env.OPENACP_CONFIG_PATH || configPath || expandHome2("~/.openacp/config.json"); L513: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L29

Findings

3 Critical2 High5 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalCommand Output Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumStructural Risk Force Deep Review
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings