registry  /  @nehoraihadad/neo-agent  /  0.2.0-rc.2

@nehoraihadad/neo-agent@0.2.0-rc.2

Neo — a personal intelligence layer: a from-scratch, learning-first AI agent with memory, skills, channels, and a live dashboard.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `neo`/`neo-tg` and configures a channel or invokes an agent task.
Impact
A configured or compromised authorized channel could cause agent-directed local actions; source shows approval and routing controls, not stealth execution.
Mechanism
Configured AI agent forwards admitted messages to tools that can fetch URLs and run local commands.
Rationale
The package is not concretely malicious by source inspection, but it is a high-capability AI agent that can connect a remote messaging channel to local command execution. This warrants a warning rather than a publish block.
Evidence
package.jsondist/tools/delegate.jsdist/tools/index.jsdist/channels/telegram/main.jsdist/observability/telemetry-sink.jsdist/bin/neo-tg.js
Network endpoints1
api.telegram.org/file/bot${token}/${filePath}

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/tools/delegate.js` implements agent shell/process execution through `execa`.
  • `dist/channels/telegram/main.js` dispatches admitted Telegram messages to the agent and returns replies through the bot API.
  • `dist/tools/index.js` exposes user-directed web fetching and configurable HTTP hooks.
  • `dist/observability/telemetry-sink.js` can POST telemetry to a configured endpoint.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • No remote payload decoding or `eval`/`Function` execution was found in `dist/tools/index.js`.
  • Dynamic imports load declared packages (`@anthropic-ai/claude-agent-sdk`, `turndown`, optional `playwright`).
  • Telegram ingress requires an owner direct message or an admitted routing binding in `dist/channels/telegram/main.js`.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 753 file(s), 53.2 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.deepseek.com, api.duckduckgo.com, api.github.com, api.githubcopilot.com, api.groq.com, api.openai.com, api.search.brave.com, api.tavily.com, api.telegram.org, app.factory.ai, auth.openai.com, calendarmcp.googleapis.com, chatgpt.com, claude.ai, claude.com, git-scm.com, github.com, gmailmcp.googleapis.com, linear.app, maps.google.com, mcp.linear.app, mcp.notion.com, mcp.sentry.dev, mcp.stripe.com, mcp.supabase.com, mcp.vercel.com, openrouter.ai, platform.claude.com, raw.githubusercontent.com, react.dev, registry.npmjs.org, schemas.microsoft.com, www.apple.com, www.googleapis.com, www.w3.org, x.ai
Oversized source lightweight scan
dist/bin/neo.js3.39 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoShellHighEntropyStringsUrlStrings127.0.0.1api.anthropic.comapi.openai.comauth.openai.comchatgpt.comclaude.aiclaude.complatform.claude.com
dist/cli/commands/daemon.js2.84 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoShellHighEntropyStringsUrlStrings127.0.0.1api.anthropic.comapi.openai.comauth.openai.comchatgpt.comclaude.aiclaude.comgithub.complatform.claude.comregistry.npmjs.org
dist/cli/commands/ui-cli.js2.29 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoShellHighEntropyStringsUrlStrings127.0.0.1api.anthropic.comapi.openai.comauth.openai.comchatgpt.comclaude.complatform.claude.com
dist/cli/framework/manifest.js2.59 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoShellHighEntropyStringsUrlStrings127.0.0.1api.anthropic.comapi.openai.comauth.openai.comchatgpt.comclaude.aiclaude.comgithub.complatform.claude.comregistry.npmjs.org
dist/cli/index.js2.56 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoShellHighEntropyStringsUrlStrings127.0.0.1api.openai.comauth.openai.comchatgpt.comclaude.complatform.claude.comregistry.npmjs.org
dist/runtime/agent-cli.js2.14 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStrings127.0.0.1api.githubcopilot.comapi.openai.comauth.openai.comcalendarmcp.googleapis.comchatgpt.comclaude.comgithub.comgmailmcp.googleapis.comlinear.appmcp.linear.appmcp.notion.complatform.claude.comwww.googleapis.com
dist/runtime/cli.js2.12 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoShellHighEntropyStringsUrlStrings127.0.0.1api.anthropic.comapi.githubcopilot.comapi.openai.comauth.openai.comcalendarmcp.googleapis.comchatgpt.comclaude.comgithub.comgmailmcp.googleapis.comlinear.appmcp.linear.appmcp.notion.complatform.claude.comwww.googleapis.com
dist/runtime/daemon/code-session-resume.js2.11 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoShellHighEntropyStringsUrlStrings127.0.0.1api.anthropic.comapi.githubcopilot.comapi.openai.comauth.openai.comcalendarmcp.googleapis.comchatgpt.comclaude.comgithub.comgmailmcp.googleapis.comlinear.appmcp.linear.appmcp.notion.complatform.claude.comwww.googleapis.com
dist/runtime/daemon/engine-server.js2.15 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellHighEntropyStringsUrlStrings127.0.0.1api.githubcopilot.comapi.openai.comauth.openai.comcalendarmcp.googleapis.comchatgpt.comclaude.comgithub.comgmailmcp.googleapis.comlinear.appmcp.linear.appmcp.notion.complatform.claude.comwww.googleapis.com
dist/runtime/embedded/index.js2.11 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoShellHighEntropyStringsUrlStrings127.0.0.1api.anthropic.comapi.githubcopilot.comapi.openai.comauth.openai.comcalendarmcp.googleapis.comchatgpt.comclaude.comgithub.comgmailmcp.googleapis.comlinear.appmcp.linear.appmcp.notion.complatform.claude.comwww.googleapis.com
dist/runtime/embedded.js2.11 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoShellHighEntropyStringsUrlStrings127.0.0.1api.anthropic.comapi.githubcopilot.comapi.openai.comauth.openai.comcalendarmcp.googleapis.comchatgpt.comclaude.comgithub.comgmailmcp.googleapis.comlinear.appmcp.linear.appmcp.notion.complatform.claude.comwww.googleapis.com
dist/runtime/index.js2.11 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsNativeBindingsCryptoShellHighEntropyStringsUrlStrings127.0.0.1api.anthropic.comapi.githubcopilot.comapi.openai.comauth.openai.comcalendarmcp.googleapis.comchatgpt.comclaude.comgithub.comgmailmcp.googleapis.comlinear.appmcp.linear.appmcp.notion.complatform.claude.comwww.googleapis.com

Source & flagged code

11 flagged · loading source
dist/tools/delegate.jsView file
5968init_env_settings(); L5969: import { execSync } from "child_process"; L5970: import { readdir as readdir2, stat as stat2 } from "fs/promises";
High
Child Process

Package source references child process execution.

dist/tools/delegate.jsView on unpkg · L5968
dist/tools/bash.jsView file
497// src/util/exec-file.ts L498: import { execa } from "execa"; L499: function getErrorMessage(result, errorCode) {
High
Shell

Package source references shell execution.

dist/tools/bash.jsView on unpkg · L497
dist/tools/index.jsView file
116function envSet(name) { L117: const v = process.env[name]; L118: return v !== void 0 && v !== "" && v !== "0" && v.toLowerCase() !== "false"; ... L212: logSink = (line) => { L213: process.stdout.write(line + "\n"); L214: }; ... L302: import { z } from "zod"; L303: var McpTransportSchema, [redacted], [redacted], McpHeadersHelperConfigSchema, McpReconnectConfigSchema, McpOAuthConfigSchema, McpSt... L304: var init_types = __esm({ ... L395: function getNeoDir() { L396: return process.env["NEO_HOME"] ?? join2(homedir(), ".neo"); L397: }
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/tools/index.jsView on unpkg · L116
20185if (!sdkModulePromise) { L20186: sdkModulePromise = import("@anthropic-ai/claude-agent-sdk").then( L20187: (m) => m
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/tools/index.jsView on unpkg · L20185
116function envSet(name) { L117: const v = process.env[name]; L118: return v !== void 0 && v !== "" && v !== "0" && v.toLowerCase() !== "false"; ... L212: logSink = (line) => { L213: process.stdout.write(line + "\n"); L214: }; ... L302: import { z } from "zod"; L303: var McpTransportSchema, [redacted], [redacted], McpHeadersHelperConfigSchema, McpReconnectConfigSchema, McpOAuthConfigSchema, McpSt... L304: var init_types = __esm({ ... L395: function getNeoDir() { L396: return process.env["NEO_HOME"] ?? join2(homedir(), ".neo"); L397: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/tools/index.jsView on unpkg · L116
dist/bin/neo-live-driver.jsView file
57function envSet(name) { L58: const v = process.env[name]; L59: return v !== void 0 && v !== "" && v !== "0" && v.toLowerCase() !== "false"; ... L153: logSink = (line) => { L154: process.stdout.write(line + "\n"); L155: }; ... L162: import { z } from "zod"; L163: var McpTransportSchema, [redacted], [redacted], McpHeadersHelperConfigSchema, McpReconnectConfigSchema, McpOAuthConfigSchema, McpSt... L164: var init_types = __esm({ ... L336: function getNeoDir() { L337: return process.env["NEO_HOME"] ?? join2(homedir(), ".neo"); L338: }
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/bin/neo-live-driver.jsView on unpkg · L57
57function envSet(name) { L58: const v = process.env[name]; L59: return v !== void 0 && v !== "" && v !== "0" && v.toLowerCase() !== "false"; ... L153: logSink = (line) => { L154: process.stdout.write(line + "\n"); L155: }; ... L162: import { z } from "zod"; L163: var McpTransportSchema, [redacted], [redacted], McpHeadersHelperConfigSchema, McpReconnectConfigSchema, McpOAuthConfigSchema, McpSt... L164: var init_types = __esm({ ... L336: function getNeoDir() { L337: return process.env["NEO_HOME"] ?? join2(homedir(), ".neo"); L338: }
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/bin/neo-live-driver.jsView on unpkg · L57
dist/channels/telegram/main.jsView file
121function envSet(name) { L122: const v = process.env[name]; L123: return v !== void 0 && v !== "" && v !== "0" && v.toLowerCase() !== "false"; ... L217: logSink = (line) => { L218: process.stdout.write(line + "\n"); L219: }; ... L418: function getNeoDir() { L419: return process.env["NEO_HOME"] ?? join(homedir(), ".neo"); L420: } ... L535: import { z } from "zod"; L536: var McpTransportSchema, [redacted], [redacted], McpHeadersHelperConfigSchema, McpReconnectConfigSchema, McpOAuthConfigSchema, McpSt... L537: var init_types = __esm({
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/channels/telegram/main.jsView on unpkg · L121
dist/bin/neo-tg.jsView file
122Trigger-reachable chain: manifest.bin -> dist/bin/neo-tg.js L122: function envSet(name) { L123: const v = process.env[name]; L124: return v !== void 0 && v !== "" && v !== "0" && v.toLowerCase() !== "false"; ... L218: logSink = (line) => { L219: process.stdout.write(line + "\n"); L220: }; ... L419: function getNeoDir() { L420: return process.env["NEO_HOME"] ?? join(homedir(), ".neo"); L421: } ... L539: import { z } from "zod"; L540: var McpTransportSchema, [redacted], [redacted], McpHeadersHelperConfigSchema, McpReconnectConfigSchema, McpOAuthConfigSchema, McpSt... L541: var init_types = __esm({
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/bin/neo-tg.jsView on unpkg · L122
dist/bin/neo.jsView file
path = dist/bin/neo.js kind = oversized_source_file sizeBytes = 3556806 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/bin/neo.jsView on unpkg
path = dist/bin/neo.js kind = oversized_cli_entrypoint sizeBytes = 3556806 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/bin/neo.jsView on unpkg

Findings

4 Critical4 High6 Medium5 Low
CriticalCredential Exfiltrationdist/bin/neo-live-driver.js
CriticalCommand Output Exfiltrationdist/channels/telegram/main.js
CriticalRemote Asset Decode Executedist/tools/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/bin/neo-tg.js
HighChild Processdist/tools/delegate.js
HighShelldist/tools/bash.js
HighSandbox Evasion Gated Capabilitydist/bin/neo-live-driver.js
HighOversized Source Filedist/bin/neo.js
MediumDynamic Requiredist/tools/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/tools/index.js
MediumOversized Cli Entrypointdist/bin/neo.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings