registry  /  @n1creator/openacp-cli  /  2026.712.5

@n1creator/openacp-cli@2026.712.5

Self-hosted bridge for AI coding agents via ACP protocol

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs and configures `openacp`, then sends commands through the configured Telegram/other channel or enables tunnel/daemon mode.
Impact
A compromised or misconfigured authorized messaging account can control the local agent capability exposed by the operator, including its workspace command/file access.
Mechanism
Configured remote messaging triggers local agent subprocesses, optional binary download, and explicit user-level persistence.
Rationale
The scanner's exfiltration label is overstated: the observed network flows are feature-aligned and credentialed Telegram API use. The package nevertheless exposes a high-impact remote AI-agent control surface and downloads an executable optional dependency, so it warrants a warning rather than a block.
Evidence
package.jsonREADME.mddist/index.jsdist/cli.jsdist/speech/transcribe_audio.sh~/.openacp/bin/cloudflared~/Library/LaunchAgents/com.openacp.daemon.<instanceId>.plist~/.config/systemd/user/openacp-<instanceId>.service
Network endpoints5
api.telegram.orgapi.groq.com/openai/v1/audio/transcriptionsregistry.npmjs.orgcdn.agentclientprotocol.com/registry/v1/latest/registry.jsongithub.com/cloudflare/cloudflared/releases/latest/download

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` spawns configured AI-agent commands and passes a filtered environment.
  • `dist/index.js` uses configured Telegram bot credentials to call `api.telegram.org` and relay files/messages.
  • `dist/index.js` can download and execute `cloudflared` under `~/.openacp/bin` when its tunnel feature is enabled.
  • `dist/index.js` can create launchd/systemd user auto-start units after explicit run-mode configuration.
  • `dist/speech/transcribe_audio.sh` creates a venv and installs `faster-whisper` when invoked.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • Entrypoints are CLI/runtime code; no import-time credential harvesting or unsolicited outbound endpoint was found.
  • Telegram, Groq, npm registry, ACP registry, and Cloudflare endpoints implement documented configured features; no arbitrary exfiltration endpoint was found.
  • Auto-start installation is reached through explicit daemon/run-mode setup, not npm installation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 2.66 MB of source, external domains: 127.0.0.1, api.groq.com, api.telegram.org, cdn.agentclientprotocol.com, cdn.jsdelivr.net, docs.openacp.dev, github.com, ngrok.com, openacp.com, openacp.gitbook.io, raw.githubusercontent.com, registry.npmjs.org, t.me, tailscale.com, tunnel-worker.openacp.ai, vitest.dev, www.apple.com

Source & flagged code

8 flagged · loading source
dist/index.jsView file
29function expandHome(p) { L30: return p.startsWith("~") ? path.join(os.homedir(), p.slice(1)) : p; L31: } ... L206: }); L207: transport.end(); L208: }); ... L299: const registryPath = path2.join(os2.homedir(), ".openacp", "instances.json"); L300: const data = JSON.parse(fs2.readFileSync(registryPath, "utf-8")); L301: const instances = data?.instances ?? {}; ... L511: super(); L512: this.configPath = process.env.OPENACP_CONFIG_PATH || configPath || expandHome2("~/.openacp/config.json"); L513: }
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/index.jsView on unpkg · L29
29function expandHome(p) { L30: return p.startsWith("~") ? path.join(os.homedir(), p.slice(1)) : p; L31: } ... L206: }); L207: transport.end(); L208: }); ... L299: const registryPath = path2.join(os2.homedir(), ".openacp", "instances.json"); L300: const data = JSON.parse(fs2.readFileSync(registryPath, "utf-8")); L301: const instances = data?.instances ?? {}; ... L511: super(); L512: this.configPath = process.env.OPENACP_CONFIG_PATH || configPath || expandHome2("~/.openacp/config.json"); L513: }
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/index.jsView on unpkg · L29
29Trigger-reachable chain: manifest.main -> dist/index.js L29: function expandHome(p) { L30: return p.startsWith("~") ? path.join(os.homedir(), p.slice(1)) : p; L31: } ... L206: }); L207: transport.end(); L208: }); ... L299: const registryPath = path2.join(os2.homedir(), ".openacp", "instances.json"); L300: const data = JSON.parse(fs2.readFileSync(registryPath, "utf-8")); L301: const instances = data?.instances ?? {}; ... L511: super(); L512: this.configPath = process.env.OPENACP_CONFIG_PATH || configPath || expandHome2("~/.openacp/config.json"); L513: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L29
976}); L977: import { execFileSync as execFileSync2 } from "child_process"; L978: import * as fs10 from "fs";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L976
12554if (process.platform === "win32" && (ext === ".cmd" || ext === ".bat")) { L12555: return { command: process.env.ComSpec ?? "cmd.exe", args: ["/d", "/s", "/c", `"${filePath}"`] }; L12556: }
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L12554
1477async function extractTarGz(buffer, destDir) { L1478: const { execFileSync: execFileSync8 } = await import("child_process"); L1479: const tmpFile = path10.join(destDir, "_archive.tar.gz");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1477
29function expandHome(p) { L30: return p.startsWith("~") ? path.join(os.homedir(), p.slice(1)) : p; L31: } ... L206: }); L207: transport.end(); L208: }); ... L299: const registryPath = path2.join(os2.homedir(), ".openacp", "instances.json"); L300: const data = JSON.parse(fs2.readFileSync(registryPath, "utf-8")); L301: const instances = data?.instances ?? {}; ... L511: super(); L512: this.configPath = process.env.OPENACP_CONFIG_PATH || configPath || expandHome2("~/.openacp/config.json"); L513: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L29
dist/speech/transcribe_audio.shView file
path = dist/speech/transcribe_audio.sh kind = build_helper sizeBytes = 4333 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/speech/transcribe_audio.shView on unpkg

Findings

3 Critical2 High6 Medium5 Low
CriticalCredential Exfiltrationdist/index.js
CriticalCommand Output Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
HighChild Processdist/index.js
HighShelldist/index.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumShips Build Helperdist/speech/transcribe_audio.sh
MediumStructural Risk Force Deep Review
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings