registry  /  @orangeworks/orangetree  /  0.27.0

@orangeworks/orangetree@0.27.0

Branching session-tree work-tracking tool (local-first, TypeScript)

AI Security Review

scanned 3d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package has powerful user-invoked local agent, daemon, update, tunnel, and service-runner features, but they align with the documented local-first AI work-tracking app.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs orangetree, starts the server, enables remote/pairing, launches bots, starts project services, or invokes update.
Impact
No unconsented install/import-time execution, exfiltration, persistence, or AI-agent control-surface mutation identified.
Mechanism
user-invoked local AI orchestration and daemon management
Rationale
Static source inspection shows a legitimate local AI session management app with explicit runtime commands and package-aligned network behavior. Suspicious primitives such as spawn, shell, env access, and downloads are tied to documented user workflows rather than install-time or covert attack behavior.
Evidence
package.jsonREADME.mddist/bin/orangetree.jsdist/server.js
Network endpoints4
api.orangetree.devorangetree.devgithub.com/fosrl/newt/releases/download/1.13.0registry.npmjs.org/-/package/@orangeworks/orangetree/dist-tags

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; main/bin are runtime entrypoints only.
    • dist/bin/orangetree.js starts/stops a local daemon, opens browser, and runs self-update only via explicit CLI/API action.
    • dist/server.js binds local UI to 127.0.0.1 by default and gates remote mode with token/cloud session auth.
    • Claude/Codex spawns use user-selected bot config dirs and are core to the session-tree tool described in README.md.
    • Network use is package-aligned: orangetree.dev cloud/pairing, npm dist-tags update check, GitHub newt download with pinned SHA256.
    • No credential harvesting or exfiltration path found; credentials are stored/used locally for user-invoked bot login and remote pairing.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsTelemetryUrlStrings
    Manifest
    NoLicense
    scanned 67 file(s), 1.87 MB of source, external domains: 127.0.0.1, api.orangetree.dev, github.com, json-schema.org, orangetree.dev, registry.npmjs.org, www.w3.org
    Oversized source lightweight scan
    dist/public/mermaid.js3.29 MB file, sampled 256 KB
    NetworkChildProcessHighEntropyStringsTelemetryUrlStringsgithub.comwww.w3.org

    Source & flagged code

    6 flagged · loading source
    dist/bin/orangetree.jsView file
    87// lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs";
    High
    Child Process

    Package source references child process execution.

    dist/bin/orangetree.jsView on unpkg · L87
    312const ps = `$s=(New-Object -ComObject WScript.Shell).CreateShortcut(${psStr(lnk)});$s.TargetPath=${psStr(wscript)};$s.Arguments=${psStr(`//B //Nologo "${vbs}"`)};$s.Description='Or... L313: spawnSync("powershell.exe", ["-NoProfile", "-NonInteractive", "-Command", ps], { stdio: "ignore", windowsHide: true }); L314: }
    High
    Shell

    Package source references shell execution.

    dist/bin/orangetree.jsView on unpkg · L312
    87// lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs"; L90: import { request } from "node:http"; L91: import { homedir } from "node:os"; ... L99: function dataRoot() { L100: return process.env.OTREE_DATA ?? join2(homedir(), ".orangetree"); L101: }
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/bin/orangetree.jsView on unpkg · L87
    64Cross-file remote execution chain: dist/bin/orangetree.js spawns dist/server.js; helper contains network access plus dynamic code execution. L64: try { L65: return normalize(JSON.parse(readFileSync(path, "utf8"))); L66: } catch { ... L72: const fill = (key, value) => { L73: if (value != null && process.env[key] === void 0) process.env[key] = value; L74: }; ... L87: // lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs"; L90: import { request } from "node:http"; L91: import { homedir } from "node:os"; ... L99: function dataRoot() {
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/bin/orangetree.jsView on unpkg · L64
    dist/public/mermaid.jsView file
    path = dist/public/mermaid.js kind = oversized_source_file sizeBytes = 3449175 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    dist/public/mermaid.jsView on unpkg
    dist/server.jsView file
    matchType = previous_version_dangerous_delta matchedPackage = @orangeworks/orangetree@0.26.0 matchedIdentity = npm:QG9yYW5nZXdvcmtzL29yYW5nZXRyZWU:0.26.0 similarity = 0.894 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/server.jsView on unpkg

    Findings

    1 Critical5 High3 Medium6 Low
    CriticalPrevious Version Dangerous Deltadist/server.js
    HighChild Processdist/bin/orangetree.js
    HighShelldist/bin/orangetree.js
    HighSame File Env Network Executiondist/bin/orangetree.js
    HighCross File Remote Execution Contextdist/bin/orangetree.js
    HighOversized Source Filedist/public/mermaid.js
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings
    LowNo License