registry  /  @n1creator/openacp-cli  /  2026.712.3

@n1creator/openacp-cli@2026.712.3

Self-hosted bridge for AI coding agents via ACP protocol

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `openacp`, configures a messaging bridge, installs an agent/integration, or enables daemon autostart.
Impact
A configured user can grant remote-message-driven coding agents filesystem and shell capabilities; remote registry/archive trust and explicit agent-config mutation expand that capability.
Mechanism
User-authorized AI-agent orchestration, remote registry/archive retrieval, and optional local service setup.
Rationale
The scanner's credential/command-output exfiltration claim is not confirmed: observed outbound requests are package-aligned Telegram, registry, update, and optional service endpoints. The package remains high-risk dual-use software because it orchestrates coding agents and can explicitly alter AI-agent integrations, so it should warn rather than block.
Evidence
package.jsondist/index.jsdist/cli.jsREADME.md~/.openacp/config.json~/.claude/settings.json~/.cursor/hooks.json~/.gemini/settings.json~/.cline/settings.json
Network endpoints3
cdn.agentclientprotocol.com/registry/v1/latest/registry.jsonapi.telegram.orgregistry.npmjs.org/@n1creator/openacp-cli/latest

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` spawns configured coding-agent and terminal subprocesses.
  • `dist/index.js` fetches a remote agent registry and downloads selected agent archives.
  • `dist/index.js` defines user-level agent hook/plugin settings under `~/.claude`, `~/.cursor`, `~/.gemini`, and `~/.cline`.
  • `dist/index.js` can create OpenACP LaunchAgent/systemd autostart entries after user setup.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • Process launches use argument arrays and `shell: false` where terminal spawning occurs.
  • Agent subprocess environments are filtered through an allowlist.
  • Telegram requests use the configured bot token for the package's messaging bridge; no unrelated credential-upload path was found.
  • No `eval`, `vm`, `Function`, encoded payload execution, or import-time payload was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 2.65 MB of source, external domains: 127.0.0.1, api.groq.com, api.telegram.org, cdn.agentclientprotocol.com, cdn.jsdelivr.net, docs.openacp.dev, github.com, ngrok.com, openacp.com, openacp.gitbook.io, raw.githubusercontent.com, registry.npmjs.org, t.me, tailscale.com, tunnel-worker.openacp.ai, vitest.dev, www.apple.com

Source & flagged code

7 flagged · loading source
dist/index.jsView file
29function expandHome(p) { L30: return p.startsWith("~") ? path.join(os.homedir(), p.slice(1)) : p; L31: } ... L206: }); L207: transport.end(); L208: }); ... L299: const registryPath = path2.join(os2.homedir(), ".openacp", "instances.json"); L300: const data = JSON.parse(fs2.readFileSync(registryPath, "utf-8")); L301: const instances = data?.instances ?? {}; ... L511: super(); L512: this.configPath = process.env.OPENACP_CONFIG_PATH || configPath || expandHome2("~/.openacp/config.json"); L513: }
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L29
29function expandHome(p) { L30: return p.startsWith("~") ? path.join(os.homedir(), p.slice(1)) : p; L31: } ... L206: }); L207: transport.end(); L208: }); ... L299: const registryPath = path2.join(os2.homedir(), ".openacp", "instances.json"); L300: const data = JSON.parse(fs2.readFileSync(registryPath, "utf-8")); L301: const instances = data?.instances ?? {}; ... L511: super(); L512: this.configPath = process.env.OPENACP_CONFIG_PATH || configPath || expandHome2("~/.openacp/config.json"); L513: }
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/index.jsView on unpkg · L29
29Trigger-reachable chain: manifest.main -> dist/index.js L29: function expandHome(p) { L30: return p.startsWith("~") ? path.join(os.homedir(), p.slice(1)) : p; L31: } ... L206: }); L207: transport.end(); L208: }); ... L299: const registryPath = path2.join(os2.homedir(), ".openacp", "instances.json"); L300: const data = JSON.parse(fs2.readFileSync(registryPath, "utf-8")); L301: const instances = data?.instances ?? {}; ... L511: super(); L512: this.configPath = process.env.OPENACP_CONFIG_PATH || configPath || expandHome2("~/.openacp/config.json"); L513: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L29
968}); L969: import { execFileSync as execFileSync2 } from "child_process"; L970: import * as fs10 from "fs";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L968
12454if (process.platform === "win32" && (ext === ".cmd" || ext === ".bat")) { L12455: return { command: process.env.ComSpec ?? "cmd.exe", args: ["/d", "/s", "/c", `"${filePath}"`] }; L12456: }
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L12454
1469async function extractTarGz(buffer, destDir) { L1470: const { execFileSync: execFileSync8 } = await import("child_process"); L1471: const tmpFile = path10.join(destDir, "_archive.tar.gz");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1469
29function expandHome(p) { L30: return p.startsWith("~") ? path.join(os.homedir(), p.slice(1)) : p; L31: } ... L206: }); L207: transport.end(); L208: }); ... L299: const registryPath = path2.join(os2.homedir(), ".openacp", "instances.json"); L300: const data = JSON.parse(fs2.readFileSync(registryPath, "utf-8")); L301: const instances = data?.instances ?? {}; ... L511: super(); L512: this.configPath = process.env.OPENACP_CONFIG_PATH || configPath || expandHome2("~/.openacp/config.json"); L513: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L29

Findings

3 Critical2 High5 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalCommand Output Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumStructural Risk Force Deep Review
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings