registry  /  @oriro/orirocli  /  0.4.3

@oriro/orirocli@0.4.3

ORIRO — a free, on-device-friendly terminal AI agent. Built on the Pi agent harness (used as a library).

AI Security Review

scanned 16m ago · by lpm-firewall-ai

No confirmed malicious attack surface was found by source inspection. Risky primitives are tied to a user-invoked terminal AI agent, Guardian command screening, optional channel integrations, and explicit setup commands.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the oriro/orirocli binary or specific subcommands.
Impact
No evidence of unconsented credential theft, persistence, destructive behavior, remote payload execution, or AI-agent control hijack.
Mechanism
User-invoked AI agent and integration tooling, not install-time execution.
Rationale
Static source inspection indicates the scanner’s critical hits are mostly defensive regex signatures and expected AI-agent/network functionality. There is no install-time execution, stealth persistence, credential harvesting, or unconsented mutation of a foreign AI-agent control surface.
Evidence
package.jsondist/cli.jsskills/craft/uipm-design-system/scripts/generate-tokens.cjsskills/uipm-ui-styling/scripts/tests/test_shadcn_add.pyskills/technical/api-builder/SKILL.mdskills/theme-factory/theme-showcase.pdf~/.oriro/config.json~/.oriro/channels.json~/.oriro/session.json~/.oriro/skills~/.oriro/scribe~/.oriro/weights
Network endpoints5
text.pollinations.ai/openaidiscord.com/api/v10/users/@meoriro.aioriro.ai/api/weights/manifestoriro.ai/api/weights/resume

Decision evidence

public snapshot
AI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks; only prepublishOnly for publisher build/test/smoke.
    • dist/cli.js reverse-shell/secret-exfil matches are Guardian rule regexes that block dangerous user commands, not active payload code.
    • dist/cli.js bin is a user-invoked AI CLI with explicit commands for chat, channels, connectors, skills, models, and setup.
    • Network calls are package-aligned: LLM/router APIs, oriro.ai model/avatar endpoints, Discord/Telegram token validation, and user-requested site inspection.
    • Secrets/tokens are stored under ~/.oriro by explicit commands such as channels add/login; no import-time harvesting or exfil loop found.
    • skills/craft/uipm-design-system/scripts/generate-tokens.cjs is a local token file generator; bundled PDF/test files are inert content.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
    Manifest
    NoLicense
    scanned 156 file(s), 2.49 MB of source, external domains: 127.0.0.1, ai-gateway.vercel.sh, aihorde.net, airtable.com, aistudio.google.com, anyscale.com, api.ai21.com, api.assemblyai.com, api.berget.ai, api.cerebras.ai, api.cloudflare.com, api.cohere.ai, api.deepseek.com, api.endpoints.anyscale.com, api.fireworks.ai, api.groq.com, api.hyperbolic.xyz, api.imgflip.com, api.inference.net, api.llm7.io, api.mistral.ai, api.moonshot.ai, api.nlpcloud.io, api.novita.ai, api.portkey.ai, api.replicate.com, api.sambanova.ai, api.scaleway.ai, api.siliconflow.cn, api.slack.com, api.stability.ai, api.studio.nebius.ai, api.together.ai, api.together.xyz, api.upstage.ai, api.wavespeed.ai, api.x.ai, api.z.ai, app.hyperbolic.xyz, assemblyai.com, baseten.co, berget.ai, build.nvidia.com, chutes.ai, cloud.cerebras.ai, cloud.google.com, cloud.sambanova.ai, console.groq.com, console.mistral.ai, console.scaleway.com

    Source & flagged code

    17 flagged · loading source
    skills/technical/api-builder/SKILL.mdView file
    94patternName = supabase_service_key severity = critical line = 94 matchedText = eyJhbGci...sw5c
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    skills/technical/api-builder/SKILL.mdView on unpkg · L94
    94patternName = supabase_service_key severity = critical line = 94 matchedText = eyJhbGci...sw5c
    Critical
    Secret Pattern

    Supabase service role key (JWT) in skills/technical/api-builder/SKILL.md

    skills/technical/api-builder/SKILL.mdView on unpkg · L94
    dist/cli.jsView file
    69function oriroDir() { L70: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L71: } ... L139: ["ioc:obf_loader", /eval\(\s*(atob|Buffer\.from)\(/i], L140: ["ioc:cp_loader", /child_process[\s\S]{0,40}(atob|fromCharCode)/i] L141: ]; ... L218: stripQuotes = (t) => t.replace(/^['"]+/, "").replace(/['"]+$/, ""); L219: SYS_DIR = "(etc|usr|bin|sbin|var|boot|lib|lib64|sys|proc|dev|root|opt|windows|system32|programdata|library|applications|system|private|cores|volumes|network)"; L220: DISK = "(sd|nvme|disk|hd|vd|xvd|mmcblk|loop)"; ... L274: /\b(nc|ncat|netcat)\b[^\n]*\s-[a-z]*e\b/i, L275: // nc/ncat -e L276: /\b(ncat|socat)\b[^\n]*exec[: ]/i,
    Critical
    Credential Exfiltration

    Source appears to send environment or credential material to an external endpoint.

    dist/cli.jsView on unpkg · L69
    69function oriroDir() { L70: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L71: } ... L139: ["ioc:obf_loader", /eval\(\s*(atob|Buffer\.from)\(/i], L140: ["ioc:cp_loader", /child_process[\s\S]{0,40}(atob|fromCharCode)/i] L141: ]; ... L218: stripQuotes = (t) => t.replace(/^['"]+/, "").replace(/['"]+$/, ""); L219: SYS_DIR = "(etc|usr|bin|sbin|var|boot|lib|lib64|sys|proc|dev|root|opt|windows|system32|programdata|library|applications|system|private|cores|volumes|network)"; L220: DISK = "(sd|nvme|disk|hd|vd|xvd|mmcblk|loop)"; ... L274: /\b(nc|ncat|netcat)\b[^\n]*\s-[a-z]*e\b/i, L275: // nc/ncat -e L276: /\b(ncat|socat)\b[^\n]*exec[: ]/i,
    Critical
    Command Output Exfiltration

    Source executes local commands and sends command output to an external endpoint.

    dist/cli.jsView on unpkg · L69
    69function oriroDir() { L70: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L71: } ... L139: ["ioc:obf_loader", /eval\(\s*(atob|Buffer\.from)\(/i], L140: ["ioc:cp_loader", /child_process[\s\S]{0,40}(atob|fromCharCode)/i] L141: ]; ... L218: stripQuotes = (t) => t.replace(/^['"]+/, "").replace(/['"]+$/, ""); L219: SYS_DIR = "(etc|usr|bin|sbin|var|boot|lib|lib64|sys|proc|dev|root|opt|windows|system32|programdata|library|applications|system|private|cores|volumes|network)"; L220: DISK = "(sd|nvme|disk|hd|vd|xvd|mmcblk|loop)"; ... L274: /\b(nc|ncat|netcat)\b[^\n]*\s-[a-z]*e\b/i, L275: // nc/ncat -e L276: /\b(ncat|socat)\b[^\n]*exec[: ]/i,
    Critical
    Reverse Shell

    Source matches reverse-shell style process and socket wiring.

    dist/cli.jsView on unpkg · L69
    69Trigger-reachable chain: manifest.bin -> dist/cli.js L69: function oriroDir() { L70: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L71: } ... L139: ["ioc:obf_loader", /eval\(\s*(atob|Buffer\.from)\(/i], L140: ["ioc:cp_loader", /child_process[\s\S]{0,40}(atob|fromCharCode)/i] L141: ]; ... L218: stripQuotes = (t) => t.replace(/^['"]+/, "").replace(/['"]+$/, ""); L219: SYS_DIR = "(etc|usr|bin|sbin|var|boot|lib|lib64|sys|proc|dev|root|opt|windows|system32|programdata|library|applications|system|private|cores|volumes|network)"; L220: DISK = "(sd|nvme|disk|hd|vd|xvd|mmcblk|loop)"; ... L274: /\b(nc|ncat|netcat)\b[^\n]*\s-[a-z]*e\b/i, L275: // nc/ncat -e L276: /\b(ncat|socat)\b[^\n]*exec[: ]/i,
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/cli.jsView on unpkg · L69
    139["ioc:obf_loader", /eval\(\s*(atob|Buffer\.from)\(/i], L140: ["ioc:cp_loader", /child_process[\s\S]{0,40}(atob|fromCharCode)/i] L141: ];
    High
    Child Process

    Package source references child process execution.

    dist/cli.jsView on unpkg · L139
    254new RegExp(`\\b(bash|sh|zsh|ksh|eval)\\b[^\\n]*\\$\\(\\s*${FETCH}\\b`, "i"), L255: // bash -c "$(curl)" L256: new RegExp(`\\$\\(\\s*${FETCH}\\b[^)]*\\)`, "i"),
    High
    Shell

    Package source references shell execution.

    dist/cli.jsView on unpkg · L254
    69function oriroDir() { L70: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L71: } ... L139: ["ioc:obf_loader", /eval\(\s*(atob|Buffer\.from)\(/i], L140: ["ioc:cp_loader", /child_process[\s\S]{0,40}(atob|fromCharCode)/i] L141: ]; ... L218: stripQuotes = (t) => t.replace(/^['"]+/, "").replace(/['"]+$/, ""); L219: SYS_DIR = "(etc|usr|bin|sbin|var|boot|lib|lib64|sys|proc|dev|root|opt|windows|system32|programdata|library|applications|system|private|cores|volumes|network)"; L220: DISK = "(sd|nvme|disk|hd|vd|xvd|mmcblk|loop)"; ... L274: /\b(nc|ncat|netcat)\b[^\n]*\s-[a-z]*e\b/i, L275: // nc/ncat -e L276: /\b(ncat|socat)\b[^\n]*exec[: ]/i,
    High
    Cloud Metadata Access

    Source reaches cloud instance metadata or link-local credential endpoints.

    dist/cli.jsView on unpkg · L69
    69function oriroDir() { L70: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L71: } ... L139: ["ioc:obf_loader", /eval\(\s*(atob|Buffer\.from)\(/i], L140: ["ioc:cp_loader", /child_process[\s\S]{0,40}(atob|fromCharCode)/i] L141: ]; ... L218: stripQuotes = (t) => t.replace(/^['"]+/, "").replace(/['"]+$/, ""); L219: SYS_DIR = "(etc|usr|bin|sbin|var|boot|lib|lib64|sys|proc|dev|root|opt|windows|system32|programdata|library|applications|system|private|cores|volumes|network)"; L220: DISK = "(sd|nvme|disk|hd|vd|xvd|mmcblk|loop)"; ... L274: /\b(nc|ncat|netcat)\b[^\n]*\s-[a-z]*e\b/i, L275: // nc/ncat -e L276: /\b(ncat|socat)\b[^\n]*exec[: ]/i,
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    dist/cli.jsView on unpkg · L69
    skills/craft/uipm-design-system/scripts/generate-tokens.cjsView file
    9L10: const fs = require("fs"); L11: const path = require("path");
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    skills/craft/uipm-design-system/scripts/generate-tokens.cjsView on unpkg · L9
    skills/impeccable/scripts/live-svelte-component.mjsView file
    20export function [redacted](filePath) { L21: if (/^(0|false|no)$/i.test(process.env.IMPECCABLE_LIVE_SVELTE_COMPONENT || '')) return false; L22: return path.extname(filePath).toLowerCase() === '.svelte'; ... L24: L25: export function componentSessionDir(id, cwd = process.cwd()) { L26: return path.join(cwd, SVELTE_COMPONENT_ROOT, id); ... L255: export function readManifest(manifestPath) { L256: const data = JSON.parse(fs.readFileSync(manifestPath, 'utf-8')); L257: return {
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    skills/impeccable/scripts/live-svelte-component.mjsView on unpkg · L20
    skills/impeccable/scripts/live-server.mjsView file
    15Cross-file remote execution chain: skills/impeccable/scripts/live-server.mjs spawns skills/impeccable/scripts/live-browser.js; helper contains network access plus dynamic code execution. L15: L16: import http from 'node:http'; L17: import { randomUUID } from 'node:crypto'; L18: import { spawn, execFileSync } from 'node:child_process'; L19: import fs from 'node:fs'; ... L50: L51: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L52: // PRODUCT.md / DESIGN.md live wherever context.mjs resolves. The generated ... L103: const CHAT_POLL_FRESHNESS_MS = 60_000; L104: const APPLY_EVENT_HARD_TIMEOUT_MS = Number(process.env.IMPECCABLE_LIVE_APPLY_EVENT_HARD_TIMEOUT_MS || 150_000); L105: const APPLY_EVENT_SOFT_DEADLINE_MS = Number(process.env.IMPECCABLE_LIVE_APPLY_EVENT_SOFT_DEADLINE_MS || 120_000); ... L471: ok: false,
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    skills/impeccable/scripts/live-server.mjsView on unpkg · L15
    skills/craft/vercel-optimize/lib/vercel.mjsView file
    15try { L16: const { stdout } = await exec("vercel", ["--version"]); L17: raw = stdout.trim(); ... L29: throw new Error( L30: `VERCEL_CLI_TOO_OLD: have ${v.join(".")}, need >= ${MIN_CLI_VERSION.join(".")}. Upgrade with \`npm i -g vercel@latest\`.`, L31: );
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    skills/craft/vercel-optimize/lib/vercel.mjsView on unpkg · L15
    skills/model-usage/scripts/test_model_usage.pyView file
    path = skills/model-usage/scripts/test_model_usage.py kind = build_helper sizeBytes = 1310 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    skills/model-usage/scripts/test_model_usage.pyView on unpkg
    skills/theme-factory/theme-showcase.pdfView file
    path = skills/theme-factory/theme-showcase.pdf kind = high_entropy_blob sizeBytes = 124310 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    skills/theme-factory/theme-showcase.pdfView on unpkg
    skills/uipm-ui-styling/scripts/tests/test_shadcn_add.pyView file
    path = skills/uipm-ui-styling/scripts/tests/test_shadcn_add.py kind = payload_in_excluded_dir sizeBytes = 10186 magicHex = [redacted]
    High
    Payload In Excluded Dir

    Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

    skills/uipm-ui-styling/scripts/tests/test_shadcn_add.pyView on unpkg

    Findings

    6 Critical7 High6 Medium9 Low
    CriticalCritical Secretskills/technical/api-builder/SKILL.md
    CriticalCredential Exfiltrationdist/cli.js
    CriticalCommand Output Exfiltrationdist/cli.js
    CriticalReverse Shelldist/cli.js
    CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
    CriticalSecret Patternskills/technical/api-builder/SKILL.md
    HighChild Processdist/cli.js
    HighShelldist/cli.js
    HighCloud Metadata Accessdist/cli.js
    HighCross File Remote Execution Contextskills/impeccable/scripts/live-server.mjs
    HighRuntime Package Installskills/craft/vercel-optimize/lib/vercel.mjs
    HighShips High Entropy Blobskills/theme-factory/theme-showcase.pdf
    HighPayload In Excluded Dirskills/uipm-ui-styling/scripts/tests/test_shadcn_add.py
    MediumDynamic Requireskills/craft/uipm-design-system/scripts/generate-tokens.cjs
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencedist/cli.js
    MediumShips Build Helperskills/model-usage/scripts/test_model_usage.py
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowWeak Cryptoskills/impeccable/scripts/live-svelte-component.mjs
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings
    LowNo License