registry  /  @orangeworks/orangetree  /  0.28.0

@orangeworks/orangetree@0.28.0

Branching session-tree work-tracking tool (local-first, TypeScript)

AI Security Review

scanned 19h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the orangetree CLI/server or enables in-app bot/remote/update features.
Impact
Could execute Claude/Codex tool actions in the user's project and expose the app remotely if configured, but source shows this as product functionality rather than unconsented lifecycle compromise.
Mechanism
first-party AI agent runner with default bypass permission mode and optional remote tunnel
Policy narrative
When invoked, orangetree starts a local daemon, manages Claude/Codex bot profiles, launches agent turns with an MCP server and default bypass permissions, and can enable authenticated remote access through a Newt tunnel. These are high-risk AI-agent capabilities, but inspection did not find npm lifecycle execution, broad foreign agent control-surface planting, credential copying, or covert exfiltration.
Rationale
The package contains dangerous agent orchestration primitives, but they are package-aligned and user/runtime invoked rather than install-time or covert behavior. Because the default bypass permission mode and remote/tunnel capability create meaningful residual risk, warn rather than block.
Evidence
package.jsondist/bin/orangetree.jsdist/server.jsREADME.mdCHANGELOG.md~/.orangetree~/.orangetree-bots~/.claude<project>/.otree/uploads
Network endpoints4
api.orangetree.devregistry.npmjs.org/-/package/@orangeworks/orangetree/dist-tagsgithub.com/fosrl/newt/releases/download/1.13.0api.openai.com/auth

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/server.js runs Claude/Codex agents with tool access and default permissionMode bypassPermissions unless settings choose ask.
  • dist/server.js exposes an orange-tree MCP server to Claude sessions and injects package/system guidelines into agent runs.
  • dist/server.js can download/run Newt tunnel binaries for remote mode and persists tunnel credentials under app data.
  • dist/bin/orangetree.js starts a detached background daemon and has a user-invoked self-update path that runs npm install -g @orangeworks/orangetree@tag.
  • dist/server.js auto-bootstraps an ambient ~/.claude profile when already logged in.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • Main risky behavior is activated by running the orangetree CLI/server or using the UI, not by npm install/import alone.
  • Agent config/profile writes are under ~/.orangetree or ~/.orangetree-bots, with ambient ~/.claude only referenced for existing login discovery.
  • Remote mode is opt-in via OTREE_REMOTE_* config, token/cloud auth, or pairing; default server binds to 127.0.0.1.
  • No source evidence of credential harvesting or exfiltration beyond package-aligned auth/status, tunnel, update, and agent-session features.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
NoLicense
scanned 80 file(s), 2.00 MB of source, external domains: 127.0.0.1, api.openai.com, api.orangetree.dev, github.com, json-schema.org, orangetree.dev, registry.npmjs.org, www.w3.org
Oversized source lightweight scan
dist/public/mermaid.js3.29 MB file, sampled 256 KB
NetworkChildProcessHighEntropyStringsTelemetryUrlStringsgithub.comwww.w3.org

Source & flagged code

6 flagged · loading source
dist/bin/orangetree.jsView file
87// lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/bin/orangetree.jsView on unpkg · L87
312const ps = `$s=(New-Object -ComObject WScript.Shell).CreateShortcut(${psStr(lnk)});$s.TargetPath=${psStr(wscript)};$s.Arguments=${psStr(`//B //Nologo "${vbs}"`)};$s.Description='Or... L313: spawnSync("powershell.exe", ["-NoProfile", "-NonInteractive", "-Command", ps], { stdio: "ignore", windowsHide: true }); L314: }
High
Shell

Package source references shell execution.

dist/bin/orangetree.jsView on unpkg · L312
87// lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs"; L90: import { request } from "node:http"; L91: import { homedir } from "node:os"; ... L99: function dataRoot() { L100: return process.env.OTREE_DATA ?? join2(homedir(), ".orangetree"); L101: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/bin/orangetree.jsView on unpkg · L87
64Cross-file remote execution chain: dist/bin/orangetree.js spawns dist/server.js; helper contains network access plus dynamic code execution. L64: try { L65: return normalize(JSON.parse(readFileSync(path, "utf8"))); L66: } catch { ... L72: const fill = (key, value) => { L73: if (value != null && process.env[key] === void 0) process.env[key] = value; L74: }; ... L87: // lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs"; L90: import { request } from "node:http"; L91: import { homedir } from "node:os"; ... L99: function dataRoot() {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/orangetree.jsView on unpkg · L64
dist/public/mermaid.jsView file
path = dist/public/mermaid.js kind = oversized_source_file sizeBytes = 3449175 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/public/mermaid.jsView on unpkg
dist/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @orangeworks/orangetree@0.27.1 matchedIdentity = npm:QG9yYW5nZXdvcmtzL29yYW5nZXRyZWU:0.27.1 similarity = 0.829 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/server.jsView on unpkg

Findings

1 Critical5 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/server.js
HighChild Processdist/bin/orangetree.js
HighShelldist/bin/orangetree.js
HighSame File Env Network Executiondist/bin/orangetree.js
HighCross File Remote Execution Contextdist/bin/orangetree.js
HighOversized Source Filedist/public/mermaid.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License