registry  /  @orangeworks/orangetree  /  0.24.0

@orangeworks/orangetree@0.24.0

Branching session-tree work-tracking tool (local-first, TypeScript)

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The risky capabilities are part of a local-first AI work-tracking app and activate through the CLI/server UI, not during install.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the orangetree CLI or starts dist/server.js
Impact
Can run local agent sessions and configured project services after user action; no covert package attack observed
Mechanism
local daemon, AI-agent session orchestration, optional cloud pairing/tunnel, explicit self-update
Rationale
Static inspection found dangerous primitives, but they are user-invoked and aligned with the declared Orange Tree local AI work-tracking app. There is no lifecycle execution, covert exfiltration, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/bin/orangetree.jsdist/server.js
Network endpoints5
api.orangetree.devorangetree.devgithub.com/fosrl/newt/releases/download/1.13.0registry.npmjs.org/-/package/@orangeworks/orangetree/dist-tags127.0.0.1

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/server.js exposes powerful user-facing agent orchestration that can spawn Claude/Codex-backed work sessions
  • dist/server.js can download and verify Newt tunnel binaries from GitHub when remote pairing is enabled
  • dist/bin/orangetree.js has daemon/update commands that spawn detached processes and global npm install on explicit update
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks
  • dist/bin/orangetree.js only starts/stops/status/updates the declared Orange Tree daemon when the CLI is invoked
  • dist/server.js network calls are for local UI, cloud pairing/reporting, npm update checks, and Newt tunnel setup
  • dist/server.js stores app state under OTREE_DATA or ~/.orangetree and bot metadata under bot-profiles; comments state Claude credentials are not copied there
  • remote mode has token/cloud session gates, loopback-only controls for setup/update/shutdown/tunnel, and root-jail path checks
  • no evidence of credential harvesting, covert exfiltration, persistence outside app daemon behavior, or install-time execution
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
NoLicense
scanned 62 file(s), 1.79 MB of source, external domains: 127.0.0.1, api.orangetree.dev, github.com, json-schema.org, orangetree.dev, registry.npmjs.org, www.w3.org
Oversized source lightweight scan
dist/public/mermaid.js3.29 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsTelemetryUrlStringsgithub.comwww.w3.org

Source & flagged code

6 flagged · loading source
dist/bin/orangetree.jsView file
87// lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/bin/orangetree.jsView on unpkg · L87
312const ps = `$s=(New-Object -ComObject WScript.Shell).CreateShortcut(${psStr(lnk)});$s.TargetPath=${psStr(wscript)};$s.Arguments=${psStr(`//B //Nologo "${vbs}"`)};$s.Description='Or... L313: spawnSync("powershell.exe", ["-NoProfile", "-NonInteractive", "-Command", ps], { stdio: "ignore", windowsHide: true }); L314: }
High
Shell

Package source references shell execution.

dist/bin/orangetree.jsView on unpkg · L312
87// lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs"; L90: import { request } from "node:http"; L91: import { homedir } from "node:os"; ... L99: function dataRoot() { L100: return process.env.OTREE_DATA ?? join2(homedir(), ".orangetree"); L101: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/bin/orangetree.jsView on unpkg · L87
64Cross-file remote execution chain: dist/bin/orangetree.js spawns dist/server.js; helper contains network access plus dynamic code execution. L64: try { L65: return normalize(JSON.parse(readFileSync(path, "utf8"))); L66: } catch { ... L72: const fill = (key, value) => { L73: if (value != null && process.env[key] === void 0) process.env[key] = value; L74: }; ... L87: // lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs"; L90: import { request } from "node:http"; L91: import { homedir } from "node:os"; ... L99: function dataRoot() {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/orangetree.jsView on unpkg · L64
dist/public/mermaid.jsView file
path = dist/public/mermaid.js kind = oversized_source_file sizeBytes = 3449175 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/public/mermaid.jsView on unpkg
dist/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @orangeworks/orangetree@0.26.0 matchedIdentity = npm:QG9yYW5nZXdvcmtzL29yYW5nZXRyZWU:0.26.0 similarity = 0.787 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server.jsView on unpkg

Findings

1 Critical5 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/server.js
HighChild Processdist/bin/orangetree.js
HighShelldist/bin/orangetree.js
HighSame File Env Network Executiondist/bin/orangetree.js
HighCross File Remote Execution Contextdist/bin/orangetree.js
HighOversized Source Filedist/public/mermaid.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License