registry  /  @oas-framework/oas  /  0.7.0

@oas-framework/oas@0.7.0

OAS (Open Agent Specialization) — durable souls, disposable instances, targetable capability packages, and the runtime-neutral oas CLI/kernel.

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No installation-time attack surface is present. Explicit `oas init`, `use`, and `spawn` commands write agent-control artifacts and may run active bundled capability hooks; optional Linear commands call its API with its configured key.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit `oas` CLI commands and activated capability lifecycle events.
Impact
Creates/removes instance files, agent instructions, skills, configuration, and optional provider identities/tasks.
Mechanism
User-invoked agent workspace provisioning and capability hooks.
Rationale
Flag as warn for explicit user-command AI-agent capability setup and lifecycle execution, not malicious behavior. Source inspection found no concrete malicious chain or install-time control-surface mutation.
Evidence
package.jsonbin/oas.mjslib/core.mjslib/tmux-config.mjscapabilities/oas-aweb/bin/oas-aweb.mjscapabilities/oas-linear/bin/oas-linear.mjscapabilities/oas-okf/bin/oas-okf.mjsoas-config.yamloas-lock.jsonAGENTS.mdCLAUDE.mdTASK.mdinstance.json.agents/skills.claude/skills.claude-runtime/skills.oas/capabilities.tmux.conf.aw
Network endpoints1
api.linear.app/graphql

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `bin/oas.mjs` explicitly creates/edits `oas-config.yaml` and capability locks.
  • `lib/core.mjs` spawns agent homes and writes generated `AGENTS.md`/`CLAUDE.md` plus skills.
  • `lib/core.mjs` executes configured, trusted capability lifecycle hooks during explicit spawn/retire.
  • `capabilities/oas-aweb/bin/oas-aweb.mjs` can mint/delete aweb identities through `aw` on lifecycle events.
  • `capabilities/oas-linear/bin/oas-linear.mjs` sends the supplied `LINEAR_API_KEY` only to Linear's GraphQL endpoint.
Evidence against
  • `package.json` defines no `preinstall`, `install`, `postinstall`, or `prepare` hook.
  • No import-time network behavior, credential harvesting, obfuscation, eval/vm, or binary loading found.
  • External executable capabilities require lock/trust handling in `lib/core.mjs`; activation occurs through CLI/config actions.
  • All observed writes and subprocesses implement documented CLI, workspace, tmux, Git, or configured capability actions.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 11 file(s), 152 KB of source, external domains: api.linear.app

Source & flagged code

2 flagged · loading source
capabilities/oas-okf/bin/oas-okf.mjsView file
160if (!inst) skip("no instance identity (run from an instance home)"); L161: const core = await import(pathToFileURL(join(FRAMEWORK_ROOT, "lib", "core.mjs")).href); L162: const slug = String(inst).toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 30);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

capabilities/oas-okf/bin/oas-okf.mjsView on unpkg · L160
bin/oas.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @oas-framework/oas@0.6.2 matchedIdentity = npm:QG9hcy1mcmFtZXdvcmsvb2Fz:0.6.2 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/oas.mjsView on unpkg

Findings

1 High3 Medium4 Low
HighPrevious Version Dangerous Deltabin/oas.mjs
MediumDynamic Requirecapabilities/oas-okf/bin/oas-okf.mjs
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
@oas-framework/oas@0.7.0: Suspicious npm security report (Warn) | LPM Firewall