registry  /  @openscout/scout  /  0.2.73

@openscout/scout@0.2.73

Public Scout package that installs the `scout` command and bundled local runtime

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The user-invoked CLI can create OpenScout-owned runtime files and launch local managed agent sessions. Optional pairing/mesh functionality can contact the package-aligned OpenScout relay.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit commands such as `scout up`, `scout setup`, `scout init`, or `scout pair`.
Impact
Can start local agent harnesses and retain OpenScout runtime state; no install-time or foreign agent-control mutation is confirmed.
Mechanism
Local AI-agent orchestration with optional pairing relay connectivity.
Rationale
The scanner's block signal overstates packaged application functionality: the risky behaviors are reachable through explicit CLI workflows and are package-owned. Retain a warning for the substantial local agent-control capability and optional relay connectivity.
Evidence
package.jsonbin/scoutbin/scout.mjsbin/openscout-runtime.mjsdist/main.mjsdist/pairing-runtime-controller.mjs
Network endpoints2
mesh.oscout.netwss://mesh.oscout.net/v1/relay

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/main.mjs` exposes explicit `up`, `pair`, `setup`, and `init` agent/runtime commands.
  • `dist/main.mjs` writes launcher scripts and state under OpenScout-owned support/runtime directories, then starts local agent harnesses.
  • `dist/pairing-runtime-controller.mjs` defines optional rendezvous and pairing-relay endpoints at `mesh.oscout.net`.
  • `dist/pairing-runtime-controller.mjs` can enumerate local AI harness installations and credentials paths as readiness metadata.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `bin/scout` and `bin/scout.mjs` only dispatch after the user invokes the CLI.
  • Observed writes target `~/.openscout` and OpenScout application-support paths, not foreign agent configuration files.
  • Network discovery defaults disabled in `dist/pairing-runtime-controller.mjs`; no confirmed credential exfiltration chain was found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 5.35 MB of source, external domains: 127.0.0.1, api.push.apple.com, api.sandbox.push.apple.com, api.x.ai, arc.jdi.sh, base-ui.com, bun.sh, claude.ai, cursor.com, developer.mozilla.org, docs.x.ai, esm.sh, github.com, grok.com, json-schema.org, mesh.oscout.net, openrouter.ai, openscout.app, pi.dev, platform.minimax.io, react.dev, trpc.io, www.w3.org, x.ai
Oversized source lightweight scan
dist/client/assets/index-CRkjiso5.js2.43 MB file, sampled 256 KB
NetworkHighEntropyStringsMinifiedUrlStringsreact.dev
dist/main.mjs5.85 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsShellHighEntropyStringsUrlStringsgithub.com
dist/runtime/broker-daemon.mjs2.27 MB file, sampled 256 KB
FilesystemNetworkEnvironmentVarsCryptoUrlStringstrpc.io
dist/scout-control-plane-web.mjs2.23 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketHighEntropyStringsUrlStrings127.0.0.1api.x.aiclaude.aicursor.comdocs.x.aigithub.comgrok.comopenrouter.aipi.devplatform.minimax.iox.ai
dist/scout-web-server.mjs2.23 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoShellWebSocketHighEntropyStringsUrlStrings127.0.0.1api.x.aiclaude.aicursor.comdocs.x.aigithub.comgrok.comopenrouter.aipi.devplatform.minimax.iox.ai

Source & flagged code

11 flagged · loading source
bin/openscout-runtime.mjsView file
2L3: import { spawn } from "node:child_process"; L4: import { existsSync } from "node:fs";
High
Child Process

Package source references child process execution.

bin/openscout-runtime.mjsView on unpkg · L2
dist/pairing-runtime-controller.mjsView file
29function localConfigHome() { L30: return process.env.OPENSCOUT_HOME ?? join(homedir(), ".openscout"); L31: } ... L39: try { L40: return validateLocalConfig(JSON.parse(readFileSync(configPath, "utf8"))); L41: } catch { ... L109: const port = config.ports?.broker ?? DEFAULT_LOCAL_CONFIG.ports.broker; L110: return `http://${localBrokerControlHost(host)}:${port}`; L111: } ... L270: // ../agent-sessions/src/codex-executable.ts L271: import { execFileSync } from "child_process"; L272: import { accessSync, constants } from "fs";
Critical
Persistence Backdoor

Source writes persistence or remote-access backdoor material.

dist/pairing-runtime-controller.mjsView on unpkg · L29
29function localConfigHome() { L30: return process.env.OPENSCOUT_HOME ?? join(homedir(), ".openscout"); L31: } ... L39: try { L40: return validateLocalConfig(JSON.parse(readFileSync(configPath, "utf8"))); L41: } catch { ... L109: const port = config.ports?.broker ?? DEFAULT_LOCAL_CONFIG.ports.broker; L110: return `http://${localBrokerControlHost(host)}:${port}`; L111: } ... L270: // ../agent-sessions/src/codex-executable.ts L271: import { execFileSync } from "child_process"; L272: import { accessSync, constants } from "fs";
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

dist/pairing-runtime-controller.mjsView on unpkg · L29
477if (platform === "win32") { L478: execFileSync2("cmd.exe", ["/d", "/s", "/c", command], { L479: stdio: ["ignore", "ignore", "ignore"]
High
Shell

Package source references shell execution.

dist/pairing-runtime-controller.mjsView on unpkg · L477
bin/scout.mjsView file
42} L43: await import(pathToFileURL(nodeEntry).href); L44: process.exit(process.exitCode ?? 0);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/scout.mjsView on unpkg · L42
bin/scoutdView file
path = bin/scoutd kind = native_binary sizeBytes = 1644880 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

bin/scoutdView on unpkg
dist/tree-sitter-markdown_inline-j5349f42.wasmView file
path = dist/tree-sitter-markdown_inline-j5349f42.wasm kind = wasm_module sizeBytes = 426020 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

dist/tree-sitter-markdown_inline-j5349f42.wasmView on unpkg
dist/client/favicon.icoView file
path = dist/client/favicon.ico kind = high_entropy_blob sizeBytes = 8225 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/client/favicon.icoView on unpkg
dist/runtime/broker-daemon.mjsView file
path = dist/runtime/broker-daemon.mjs kind = oversized_source_file sizeBytes = 2375387 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/runtime/broker-daemon.mjsView on unpkg
dist/main.mjsView file
path = dist/main.mjs kind = oversized_cli_entrypoint sizeBytes = 6137646 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist/main.mjsView on unpkg
package.jsonView file
devDependencies registry_only=@openscout/runtime
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg

Findings

3 Critical4 High7 Medium5 Low
CriticalPersistence Backdoordist/pairing-runtime-controller.mjs
CriticalRemote Asset Decode Executedist/pairing-runtime-controller.mjs
CriticalManifest Confusionpackage.json
HighChild Processbin/openscout-runtime.mjs
HighShelldist/pairing-runtime-controller.mjs
HighShips High Entropy Blobdist/client/favicon.ico
HighOversized Source Filedist/runtime/broker-daemon.mjs
MediumDynamic Requirebin/scout.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Native Binarybin/scoutd
MediumShips Wasm Moduledist/tree-sitter-markdown_inline-j5349f42.wasm
MediumOversized Cli Entrypointdist/main.mjs
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings