registry  /  @orangeworks/orangetree  /  0.23.4

@orangeworks/orangetree@0.23.4

Branching session-tree work-tracking tool (local-first, TypeScript)

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a local AI work-tracking app with user-invoked daemon, Claude/Codex integration, optional remote tunnel, and self-update features that align with its stated purpose.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the orangetree CLI or starts dist/server.js; remote mode requires environment/config/onboarding.
Impact
User-requested agent actions may edit/run commands under configured project roots; no unconsented install/import-time compromise found.
Mechanism
local daemon and AI-agent orchestration with optional authenticated cloud tunnel
Rationale
The dangerous primitives are real but are activated by the product's CLI/server workflows and are bounded by local binding, remote auth, configured roots, and pinned tunnel assets. Static source inspection did not show unconsented lifecycle execution, credential exfiltration, persistence beyond the user-invoked daemon/shortcut, or malicious package behavior.
Evidence
package.jsondist/bin/orangetree.jsdist/server.js
Network endpoints3
api.orangetree.devregistry.npmjs.org/-/package/@orangeworks/orangetree/dist-tagsgithub.com/fosrl/newt/releases/download/1.13.0

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with high false-positive risk.
Evidence for block
  • dist/server.js defaults Claude SDK permissionMode to bypassPermissions for agent turns.
  • dist/bin/orangetree.js can spawn a detached daemon, browser opener, updater, and Windows shortcuts when the CLI is run.
  • dist/server.js can download/run pinned Newt tunnel binaries and make cloud/API requests when remote mode/onboarding is configured.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks; bin/main behavior is user-invoked.
  • dist/server.js binds local mode to 127.0.0.1 and gates remote APIs with token/cloud-session auth.
  • dist/server.js network endpoints are product-aligned: orangetree cloud, npm update check, GitHub Newt releases with hashes.
  • dist/server.js bot profile comments and code avoid copying Claude credentials into app data; config dirs are selected for spawned Claude auth/status/login.
  • dist/bin/orangetree.js update path installs the same package name/version tag pattern, not arbitrary remote code.
  • No credential harvesting, exfiltration endpoint, destructive install-time behavior, or reviewer/prompt manipulation found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 62 file(s), 1.54 MB of source, external domains: 127.0.0.1, api.orangetree.dev, github.com, json-schema.org, orangetree.dev, registry.npmjs.org, www.w3.org

Source & flagged code

5 flagged · loading source
dist/bin/orangetree.jsView file
87// lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/bin/orangetree.jsView on unpkg · L87
312const ps = `$s=(New-Object -ComObject WScript.Shell).CreateShortcut(${psStr(lnk)});$s.TargetPath=${psStr(wscript)};$s.Arguments=${psStr(`//B //Nologo "${vbs}"`)};$s.Description='Or... L313: spawnSync("powershell.exe", ["-NoProfile", "-NonInteractive", "-Command", ps], { stdio: "ignore", windowsHide: true }); L314: }
High
Shell

Package source references shell execution.

dist/bin/orangetree.jsView on unpkg · L312
87// lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs"; L90: import { request } from "node:http"; L91: import { homedir } from "node:os"; ... L99: function dataRoot() { L100: return process.env.OTREE_DATA ?? join2(homedir(), ".orangetree"); L101: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/bin/orangetree.jsView on unpkg · L87
64Cross-file remote execution chain: dist/bin/orangetree.js spawns dist/server.js; helper contains network access plus dynamic code execution. L64: try { L65: return normalize(JSON.parse(readFileSync(path, "utf8"))); L66: } catch { ... L72: const fill = (key, value) => { L73: if (value != null && process.env[key] === void 0) process.env[key] = value; L74: }; ... L87: // lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs"; L90: import { request } from "node:http"; L91: import { homedir } from "node:os"; ... L99: function dataRoot() {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/orangetree.jsView on unpkg · L64
dist/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @orangeworks/orangetree@0.23.3 matchedIdentity = npm:QG9yYW5nZXdvcmtzL29yYW5nZXRyZWU:0.23.3 similarity = 0.918 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/server.jsView on unpkg

Findings

1 Critical4 High2 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/server.js
HighChild Processdist/bin/orangetree.js
HighShelldist/bin/orangetree.js
HighSame File Env Network Executiondist/bin/orangetree.js
HighCross File Remote Execution Contextdist/bin/orangetree.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License