registry  /  @orangeworks/orangetree  /  0.23.3

@orangeworks/orangetree@0.23.3

Branching session-tree work-tracking tool (local-first, TypeScript)

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked local web app/daemon for managing Claude sessions with optional cloud pairing/tunnel features.

Static reason
One or more suspicious static signals were detected.
Trigger
Running orangetree CLI or importing dist/server.js as the app entrypoint
Impact
Expected local state, worktree, daemon, and optional remote-access configuration changes; no evidence of credential harvesting or covert exfiltration.
Mechanism
local daemon, Claude CLI orchestration, optional cloud pairing
Rationale
Static inspection found powerful primitives, but they are aligned with the package's documented local Claude-session work-tracking function and are gated by user/runtime actions rather than install-time execution. No credential harvesting, covert endpoint, destructive persistence, or unconsented AI-agent control-surface mutation was identified.
Evidence
package.jsondist/bin/orangetree.jsdist/server.jsREADME.md
Network endpoints1
api.orangetree.dev

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks
    • dist/bin/orangetree.js only starts/stops/status/updates user-invoked daemon
    • dist/server.js spawns claude CLI for documented bot/session features
    • dist/server.js network use is local API, configured cloud pairing/reporting, or https://api.orangetree.dev
    • dist/server.js writes app state under OTREE_DATA/.orangetree and selected work roots
    • README.md documents claude CLI prerequisite and OTREE_CLAUDE_BIN
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsUrlStrings
    Manifest
    NoLicense
    scanned 62 file(s), 1.54 MB of source, external domains: 127.0.0.1, api.orangetree.dev, github.com, json-schema.org, orangetree.dev, registry.npmjs.org, www.w3.org

    Source & flagged code

    4 flagged · loading source
    dist/bin/orangetree.jsView file
    87// lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs";
    High
    Child Process

    Package source references child process execution.

    dist/bin/orangetree.jsView on unpkg · L87
    312const ps = `$s=(New-Object -ComObject WScript.Shell).CreateShortcut(${psStr(lnk)});$s.TargetPath=${psStr(wscript)};$s.Arguments=${psStr(`//B //Nologo "${vbs}"`)};$s.Description='Or... L313: spawnSync("powershell.exe", ["-NoProfile", "-NonInteractive", "-Command", ps], { stdio: "ignore", windowsHide: true }); L314: }
    High
    Shell

    Package source references shell execution.

    dist/bin/orangetree.jsView on unpkg · L312
    87// lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs"; L90: import { request } from "node:http"; L91: import { homedir } from "node:os"; ... L99: function dataRoot() { L100: return process.env.OTREE_DATA ?? join2(homedir(), ".orangetree"); L101: }
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/bin/orangetree.jsView on unpkg · L87
    64Cross-file remote execution chain: dist/bin/orangetree.js spawns dist/server.js; helper contains network access plus dynamic code execution. L64: try { L65: return normalize(JSON.parse(readFileSync(path, "utf8"))); L66: } catch { ... L72: const fill = (key, value) => { L73: if (value != null && process.env[key] === void 0) process.env[key] = value; L74: }; ... L87: // lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs"; L90: import { request } from "node:http"; L91: import { homedir } from "node:os"; ... L99: function dataRoot() {
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/bin/orangetree.jsView on unpkg · L64

    Findings

    4 High2 Medium5 Low
    HighChild Processdist/bin/orangetree.js
    HighShelldist/bin/orangetree.js
    HighSame File Env Network Executiondist/bin/orangetree.js
    HighCross File Remote Execution Contextdist/bin/orangetree.js
    MediumNetwork
    MediumEnvironment Vars
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings
    LowNo License