registry  /  @n1creator/openacp-cli  /  2026.713.2

@n1creator/openacp-cli@2026.713.2

Self-hosted bridge for AI coding agents via ACP protocol

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `openacp agents install <agent>` or `openacp integrate <agent>`; auto-start requires `openacp autostart install`.
Impact
Supported agent prompts receive session and working-directory context for OpenACP handoff; integration alters named agent config files.
Mechanism
Explicit CLI-driven AI-agent hook/config integration and agent binary download.
Rationale
The scanner's claimed command-output exfiltration was not confirmed by source inspection. The concrete remaining risk is explicit-user-command AI-agent integration, so warning is appropriate rather than a block.
Evidence
package.jsondist/cli.jsdist/index.jsREADME.md~/.claude/settings.json~/.claude/hooks/openacp-inject-session.sh~/.claude/hooks/openacp-handoff.sh~/.cursor/hooks.json~/.gemini/settings.json~/.cline/settings.json~/.config/opencode/commands/openacp-handoff.md~/.config/opencode/plugins/openacp-handoff.js~/.openacp/agents
Network endpoints2
cdn.agentclientprotocol.com/registry/v1/latest/registry.jsonregistry.npmjs.org/${NPM_PACKAGE}/latest

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/cli.js` automatically calls `installIntegration` after explicit `openacp agents install` for agents with integrations.
  • `dist/index.js` writes hook scripts and edits `~/.claude/settings.json`, `~/.cursor/hooks.json`, `~/.gemini/settings.json`, or `~/.cline/settings.json`.
  • `dist/index.js` downloads user-requested agent archives and extracts them under `~/.openacp/agents`.
  • `dist/index.js` supports user-invoked auto-start service installation.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle script.
  • `dist/cli.js` exposes standalone `openacp integrate <agent>` and documents its mutations.
  • Integration scripts only pass session ID and working-directory context to OpenACP handoff commands.
  • `dist/index.js` blocks agent access to `.env`, keys, `.ssh`, `.aws`, `.openacp`, and secret-file patterns.
  • No source-confirmed credential harvesting or command-output upload endpoint was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 3.22 MB of source, external domains: 127.0.0.1, api.groq.com, api.ipify.org, api.telegram.org, cdn.agentclientprotocol.com, cdn.jsdelivr.net, github.com, ngrok.com, openacp.com, registry.npmjs.org, t.me, tailscale.com, tunnel-worker.openacp.ai, vitest.dev, www.apple.com

Source & flagged code

9 flagged · loading source
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @n1creator/openacp-cli@2026.713.1 matchedIdentity = npm:QG4xY3JlYXRvci9vcGVuYWNwLWNsaQ:2026.713.1 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
23522patternName = generic_password severity = medium line = 23522 matchedText = password...e.",
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/cli.jsView on unpkg · L23522
dist/index.jsView file
134function expandHome(p) { L135: return p.startsWith("~") ? path.join(os.homedir(), p.slice(1)) : p; L136: } ... L306: }); L307: if (typeof dest.end === "function") dest.end(); L308: else { ... L429: const registryPath = path2.join(os2.homedir(), ".openacp", "instances.json"); L430: const data = JSON.parse(fs2.readFileSync(registryPath, "utf-8")); L431: const instances = data?.instances ?? {}; ... L641: super(); L642: this.configPath = process.env.OPENACP_CONFIG_PATH || configPath || expandHome2("~/.openacp/config.json"); L643: }
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/index.jsView on unpkg · L134
134Trigger-reachable chain: manifest.main -> dist/index.js L134: function expandHome(p) { L135: return p.startsWith("~") ? path.join(os.homedir(), p.slice(1)) : p; L136: } ... L306: }); L307: if (typeof dest.end === "function") dest.end(); L308: else { ... L429: const registryPath = path2.join(os2.homedir(), ".openacp", "instances.json"); L430: const data = JSON.parse(fs2.readFileSync(registryPath, "utf-8")); L431: const instances = data?.instances ?? {}; ... L641: super(); L642: this.configPath = process.env.OPENACP_CONFIG_PATH || configPath || expandHome2("~/.openacp/config.json"); L643: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L134
1106}); L1107: import { execFileSync as execFileSync2 } from "child_process"; L1108: import * as fs10 from "fs";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L1106
16733if (process.platform === "win32" && (ext === ".cmd" || ext === ".bat")) { L16734: return { command: process.env.ComSpec ?? "cmd.exe", args: ["/d", "/s", "/c", `"${filePath}"`] }; L16735: }
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L16733
1626async function extractTarGz(buffer, destDir) { L1627: const { execFileSync: execFileSync9 } = await import("child_process"); L1628: const tmpFile = path10.join(destDir, "_archive.tar.gz");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L1626
134function expandHome(p) { L135: return p.startsWith("~") ? path.join(os.homedir(), p.slice(1)) : p; L136: } ... L306: }); L307: if (typeof dest.end === "function") dest.end(); L308: else { ... L429: const registryPath = path2.join(os2.homedir(), ".openacp", "instances.json"); L430: const data = JSON.parse(fs2.readFileSync(registryPath, "utf-8")); L431: const instances = data?.instances ?? {}; ... L641: super(); L642: this.configPath = process.env.OPENACP_CONFIG_PATH || configPath || expandHome2("~/.openacp/config.json"); L643: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L134
dist/speech/transcribe_audio.shView file
path = dist/speech/transcribe_audio.sh kind = build_helper sizeBytes = 4333 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/speech/transcribe_audio.shView on unpkg

Findings

3 Critical2 High7 Medium5 Low
CriticalCommand Output Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processdist/index.js
HighShelldist/index.js
MediumSecret Patterndist/cli.js
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumShips Build Helperdist/speech/transcribe_audio.sh
MediumStructural Risk Force Deep Review
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings