registry  /  @orangeworks/orangetree  /  0.26.0

@orangeworks/orangetree@0.26.0

Branching session-tree work-tracking tool (local-first, TypeScript)

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a local-first OrangeTree server/CLI with explicit AI-agent orchestration, remote pairing, update, and tunnel features gated by runtime configuration or local API actions.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs orangetree CLI/server or uses local/remote authenticated API actions
Impact
Can spawn configured tools and write app/workspace state during normal use; no unconsented install-time or import-time attack behavior found
Mechanism
Product-aligned local daemon, agent orchestration, tunnel pairing, and update checks
Rationale
Static inspection confirms powerful runtime capabilities, but they are consistent with the package's stated local AI work-tracking/tunneling functionality and are not triggered by install/import without user action. No concrete malicious credential theft, persistence abuse, destructive behavior, or unauthorized AI-agent control-surface mutation was found.
Evidence
package.jsondist/bin/orangetree.jsdist/server.jsdist/public/api.jsdist/public/app.js
Network endpoints4
registry.npmjs.org/-/package/@orangeworks/orangetree/dist-tagsgithub.com/fosrl/newt/releases/download/1.13.0api.orangetree.devorangetree.dev

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/server.js runs Claude/Codex agents and configured service commands on API actions
  • dist/server.js can download pinned Newt tunnel binary and contact cloud APIs when remote mode is configured
  • dist/bin/orangetree.js spawns a detached local daemon and supports self-update via global npm install
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks
  • dist/bin/orangetree.js default action starts/opens a local daemon, not hidden import-time malware
  • dist/server.js binds local mode to 127.0.0.1 and gates remote APIs with token/cloud session auth
  • agent, shell, update, tunnel, and report behavior is product-aligned and user/API invoked
  • network hosts are registry.npmjs.org, github.com/fosrl/newt, api.orangetree.dev/orangetree.dev, or configured cloud URLs
  • no credential harvesting or exfiltration beyond explicit bot login/profile and cloud pairing flows found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
NoLicense
scanned 67 file(s), 1.86 MB of source, external domains: 127.0.0.1, api.orangetree.dev, github.com, json-schema.org, orangetree.dev, registry.npmjs.org, www.w3.org
Oversized source lightweight scan
dist/public/mermaid.js3.29 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsTelemetryUrlStringsgithub.comwww.w3.org

Source & flagged code

6 flagged · loading source
dist/bin/orangetree.jsView file
87// lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/bin/orangetree.jsView on unpkg · L87
312const ps = `$s=(New-Object -ComObject WScript.Shell).CreateShortcut(${psStr(lnk)});$s.TargetPath=${psStr(wscript)};$s.Arguments=${psStr(`//B //Nologo "${vbs}"`)};$s.Description='Or... L313: spawnSync("powershell.exe", ["-NoProfile", "-NonInteractive", "-Command", ps], { stdio: "ignore", windowsHide: true }); L314: }
High
Shell

Package source references shell execution.

dist/bin/orangetree.jsView on unpkg · L312
87// lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs"; L90: import { request } from "node:http"; L91: import { homedir } from "node:os"; ... L99: function dataRoot() { L100: return process.env.OTREE_DATA ?? join2(homedir(), ".orangetree"); L101: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/bin/orangetree.jsView on unpkg · L87
64Cross-file remote execution chain: dist/bin/orangetree.js spawns dist/server.js; helper contains network access plus dynamic code execution. L64: try { L65: return normalize(JSON.parse(readFileSync(path, "utf8"))); L66: } catch { ... L72: const fill = (key, value) => { L73: if (value != null && process.env[key] === void 0) process.env[key] = value; L74: }; ... L87: // lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs"; L90: import { request } from "node:http"; L91: import { homedir } from "node:os"; ... L99: function dataRoot() {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/orangetree.jsView on unpkg · L64
dist/public/mermaid.jsView file
path = dist/public/mermaid.js kind = oversized_source_file sizeBytes = 3449175 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/public/mermaid.jsView on unpkg
dist/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @orangeworks/orangetree@0.25.1 matchedIdentity = npm:QG9yYW5nZXdvcmtzL29yYW5nZXRyZWU:0.25.1 similarity = 0.857 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/server.jsView on unpkg

Findings

1 Critical5 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/server.js
HighChild Processdist/bin/orangetree.js
HighShelldist/bin/orangetree.js
HighSame File Env Network Executiondist/bin/orangetree.js
HighCross File Remote Execution Contextdist/bin/orangetree.js
HighOversized Source Filedist/public/mermaid.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License