registry  /  @oas-framework/oas  /  0.5.0

@oas-framework/oas@0.5.0

OAS (Open Agent Specialization) — durable souls, disposable instances, harvest-back: the oas CLI and kernel. Runtime adapters: @oas-framework/pi (pi), Claude plugin (planned)

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
Explicit `oas init`/`use`/`install`/`sync` command or OAS instance lifecycle invocation.
Impact
Can alter OAS-managed `AGENTS.md` content and run selected integration hooks within the chosen workspace.
Mechanism
User-directed agent configuration injection and lifecycle-hook dispatch.
Rationale
The package has explicit agent-control and hook-execution capabilities, warranting a warning classification under the firewall policy. Source inspection found no concrete malicious behavior or unconsented install-time mutation.
Evidence
package.jsonbin/oas.mjslib/core.mjsintegrations/oas-aweb/bin/oas-aweb.mjsintegrations/oas-jira/bin/oas-jira.mjsintegrations/oas-okf/bin/oas-okf.mjsoas-config.yamlagents/<agent>/soul/AGENTS.md~/.oas/integrations/<integration>local-agents/memory-harvest/

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `bin/oas.mjs` exposes explicit `init`, `use`, `install`, and `sync` commands that write workspace configuration and integrations.
  • `lib/core.mjs` reconciles configured content into agent `AGENTS.md` files.
  • `lib/core.mjs` runs configured lifecycle-hook strings with `execSync` during OAS instance events.
  • `integrations/oas-okf/bin/oas-okf.mjs` dynamically imports this package's own `lib/core.mjs` and spawns a memory-harvest agent.
Evidence against
  • `package.json` contains no lifecycle scripts, so install/import does not trigger these actions.
  • No source network client, credential harvesting, exfiltration, eval, or remote payload download was found.
  • Agent-file changes are scoped to the package's OAS agent workspace model and occur through explicit CLI/framework actions.
  • Bundled aweb/Jira hooks are integration-specific; Jira performs no network call and aweb delegates only to the user-installed `aw` CLI.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 6 file(s), 87.3 KB of source

Source & flagged code

1 flagged · loading source
integrations/oas-okf/bin/oas-okf.mjsView file
162if (!inst) skip("no instance identity (run from an instance home)"); L163: const core = await import(pathToFileURL(join(FRAMEWORK_ROOT, "lib", "core.mjs")).href); L164: const slug = String(inst).toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 30);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

integrations/oas-okf/bin/oas-okf.mjsView on unpkg · L162

Findings

2 Medium2 Low
MediumDynamic Requireintegrations/oas-okf/bin/oas-okf.mjs
MediumEnvironment Vars
LowFilesystem
LowHigh Entropy Strings