registry  /  @oriro/orirocli  /  0.1.11

@oriro/orirocli@0.1.11

ORIRO — a free, on-device-friendly terminal AI agent. Built on the Pi agent harness (used as a library).

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. The risky primitives are exposed as explicit CLI/skill functionality for an AI agent and include local safety rules rather than hidden install-time behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs the oriro CLI or invokes bundled skills/commands.
Impact
Expected CLI behavior; no hidden credential theft, persistence, or lifecycle execution confirmed.
Mechanism
User-invoked AI agent, connector, web-inspection, voice, and skill helper functionality.
Rationale
Scanner hits map to defensive regex rules, explicit user-invoked CLI features, examples, and helper scripts rather than concrete malicious execution. With no install-time/import-time payload, hidden exfiltration, persistence, or unconsented AI-agent control-surface mutation found, the package should not be blocked.
Evidence
package.jsondist/cli.jsskills/technical/api-builder/SKILL.mdskills/craft/uipm-design-system/scripts/generate-tokens.cjsskills/uipm-ui-styling/scripts/shadcn_add.pyskills/uipm-ui-styling/scripts/tests/test_shadcn_add.py

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/cli.js contains powerful user-invoked features: browser capture, ffmpeg/recorder spawning, local config writes, bot token storage.
  • skills/graphify and other bundled skills include install/hook tooling, but not wired to npm lifecycle execution.
Evidence against
  • package.json has no install/postinstall/prepare hook; only prepublishOnly for publisher-side build/tests.
  • dist/cli.js reverse-shell and exfil patterns are Guardian detection rules that block risky user/agent commands, not executed payloads.
  • dist/cli.js network calls are package-aligned: AI routers, Discord/Telegram token validation, web inspection commands.
  • dist/cli.js entrypoint only parses CLI commands or starts the REPL; no import-time credential harvesting or exfiltration found.
  • skills/technical/api-builder/SKILL.md contains example token/API-key text, not a live secret.
  • skills scripts inspected are user-invoked helpers/tests for token generation or shadcn installation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
Manifest
NoLicense
scanned 156 file(s), 2.36 MB of source, external domains: ai-gateway.vercel.sh, aihorde.net, airtable.com, aistudio.google.com, anyscale.com, api.ai21.com, api.assemblyai.com, api.berget.ai, api.cerebras.ai, api.cloudflare.com, api.cohere.ai, api.deepseek.com, api.endpoints.anyscale.com, api.fireworks.ai, api.groq.com, api.hyperbolic.xyz, api.imgflip.com, api.inference.net, api.llm7.io, api.mistral.ai, api.moonshot.ai, api.nlpcloud.io, api.novita.ai, api.portkey.ai, api.replicate.com, api.sambanova.ai, api.scaleway.ai, api.siliconflow.cn, api.slack.com, api.stability.ai, api.studio.nebius.ai, api.together.ai, api.together.xyz, api.upstage.ai, api.wavespeed.ai, api.x.ai, api.z.ai, app.hyperbolic.xyz, assemblyai.com, baseten.co, berget.ai, build.nvidia.com, chutes.ai, cloud.cerebras.ai, cloud.google.com, cloud.sambanova.ai, console.groq.com, console.mistral.ai, console.scaleway.com, console.upstage.ai

Source & flagged code

20 flagged · loading source
skills/technical/api-builder/SKILL.mdView file
94patternName = supabase_service_key severity = critical line = 94 matchedText = eyJhbGci...sw5c
Critical
Critical Secret

Package contains a critical-looking secret pattern.

skills/technical/api-builder/SKILL.mdView on unpkg · L94
94patternName = supabase_service_key severity = critical line = 94 matchedText = eyJhbGci...sw5c
Critical
Secret Pattern

Supabase service role key (JWT) in skills/technical/api-builder/SKILL.md

skills/technical/api-builder/SKILL.mdView on unpkg · L94
dist/cli.jsView file
118} L119: function toBase642(bytes) { L120: const g = globalThis; ... L145: DEFAULT_VIEWPORT = { width: 1280, height: 800 }; L146: defaultImgSrc = (c) => c.png ? `data:image/png;base64,${toBase642(c.png)}` : ""; L147: } ... L155: import { createInterface as createInterface6 } from "readline/promises"; L156: import { stdin as stdin6, stdout as stdout7 } from "process"; L157: ... L349: function oriroDir() { L350: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L351: }
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/cli.jsView on unpkg · L118
118} L119: function toBase642(bytes) { L120: const g = globalThis; ... L145: DEFAULT_VIEWPORT = { width: 1280, height: 800 }; L146: defaultImgSrc = (c) => c.png ? `data:image/png;base64,${toBase642(c.png)}` : ""; L147: } ... L155: import { createInterface as createInterface6 } from "readline/promises"; L156: import { stdin as stdin6, stdout as stdout7 } from "process"; L157: ... L349: function oriroDir() { L350: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L351: }
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/cli.jsView on unpkg · L118
118} L119: function toBase642(bytes) { L120: const g = globalThis; ... L145: DEFAULT_VIEWPORT = { width: 1280, height: 800 }; L146: defaultImgSrc = (c) => c.png ? `data:image/png;base64,${toBase642(c.png)}` : ""; L147: } ... L155: import { createInterface as createInterface6 } from "readline/promises"; L156: import { stdin as stdin6, stdout as stdout7 } from "process"; L157: ... L349: function oriroDir() { L350: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L351: }
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

dist/cli.jsView on unpkg · L118
118Trigger-reachable chain: manifest.bin -> dist/cli.js L118: } L119: function toBase642(bytes) { L120: const g = globalThis; ... L145: DEFAULT_VIEWPORT = { width: 1280, height: 800 }; L146: defaultImgSrc = (c) => c.png ? `data:image/png;base64,${toBase642(c.png)}` : ""; L147: } ... L155: import { createInterface as createInterface6 } from "readline/promises"; L156: import { stdin as stdin6, stdout as stdout7 } from "process"; L157: ... L349: function oriroDir() { L350: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L351: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.jsView on unpkg · L118
matchType = previous_version_dangerous_delta matchedPackage = @oriro/orirocli@0.1.9 matchedIdentity = npm:QG9yaXJvL29yaXJvY2xp:0.1.9 similarity = 0.992 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
528["ioc:obf_loader", /eval\(\s*(atob|Buffer\.from)\(/i], L529: ["ioc:cp_loader", /child_process[\s\S]{0,40}(atob|fromCharCode)/i] L530: ];
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L528
673new RegExp(`\\b(bash|sh|zsh|ksh|eval)\\b[^\\n]*\\$\\(\\s*${FETCH}\\b`, "i"), L674: // bash -c "$(curl)" L675: new RegExp(`\\$\\(\\s*${FETCH}\\b[^)]*\\)`, "i"),
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L673
118} L119: function toBase642(bytes) { L120: const g = globalThis; ... L145: DEFAULT_VIEWPORT = { width: 1280, height: 800 }; L146: defaultImgSrc = (c) => c.png ? `data:image/png;base64,${toBase642(c.png)}` : ""; L147: } ... L155: import { createInterface as createInterface6 } from "readline/promises"; L156: import { stdin as stdin6, stdout as stdout7 } from "process"; L157: ... L349: function oriroDir() { L350: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L351: }
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

dist/cli.jsView on unpkg · L118
118} L119: function toBase642(bytes) { L120: const g = globalThis; ... L145: DEFAULT_VIEWPORT = { width: 1280, height: 800 }; L146: defaultImgSrc = (c) => c.png ? `data:image/png;base64,${toBase642(c.png)}` : ""; L147: } ... L155: import { createInterface as createInterface6 } from "readline/promises"; L156: import { stdin as stdin6, stdout as stdout7 } from "process"; L157: ... L349: function oriroDir() { L350: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L351: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L118
skills/craft/uipm-design-system/scripts/generate-tokens.cjsView file
9L10: const fs = require("fs"); L11: const path = require("path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

skills/craft/uipm-design-system/scripts/generate-tokens.cjsView on unpkg · L9
skills/impeccable/scripts/live-svelte-component.mjsView file
20export function [redacted](filePath) { L21: if (/^(0|false|no)$/i.test(process.env.IMPECCABLE_LIVE_SVELTE_COMPONENT || '')) return false; L22: return path.extname(filePath).toLowerCase() === '.svelte'; ... L24: L25: export function componentSessionDir(id, cwd = process.cwd()) { L26: return path.join(cwd, SVELTE_COMPONENT_ROOT, id); ... L255: export function readManifest(manifestPath) { L256: const data = JSON.parse(fs.readFileSync(manifestPath, 'utf-8')); L257: return {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

skills/impeccable/scripts/live-svelte-component.mjsView on unpkg · L20
skills/impeccable/scripts/live-server.mjsView file
15Cross-file remote execution chain: skills/impeccable/scripts/live-server.mjs spawns skills/impeccable/scripts/live-browser.js; helper contains network access plus dynamic code execution. L15: L16: import http from 'node:http'; L17: import { randomUUID } from 'node:crypto'; L18: import { spawn, execFileSync } from 'node:child_process'; L19: import fs from 'node:fs'; ... L50: L51: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L52: // PRODUCT.md / DESIGN.md live wherever context.mjs resolves. The generated ... L103: const CHAT_POLL_FRESHNESS_MS = 60_000; L104: const APPLY_EVENT_HARD_TIMEOUT_MS = Number(process.env.IMPECCABLE_LIVE_APPLY_EVENT_HARD_TIMEOUT_MS || 150_000); L105: const APPLY_EVENT_SOFT_DEADLINE_MS = Number(process.env.IMPECCABLE_LIVE_APPLY_EVENT_SOFT_DEADLINE_MS || 120_000); ... L471: ok: false,
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

skills/impeccable/scripts/live-server.mjsView on unpkg · L15
skills/craft/vercel-optimize/lib/vercel.mjsView file
15try { L16: const { stdout } = await exec("vercel", ["--version"]); L17: raw = stdout.trim(); ... L29: throw new Error( L30: `VERCEL_CLI_TOO_OLD: have ${v.join(".")}, need >= ${MIN_CLI_VERSION.join(".")}. Upgrade with \`npm i -g vercel@latest\`.`, L31: );
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

skills/craft/vercel-optimize/lib/vercel.mjsView on unpkg · L15
skills/model-usage/scripts/test_model_usage.pyView file
path = skills/model-usage/scripts/test_model_usage.py kind = build_helper sizeBytes = 1350 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/model-usage/scripts/test_model_usage.pyView on unpkg
skills/theme-factory/theme-showcase.pdfView file
path = skills/theme-factory/theme-showcase.pdf kind = high_entropy_blob sizeBytes = 124310 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

skills/theme-factory/theme-showcase.pdfView on unpkg
skills/uipm-ui-styling/scripts/tests/test_shadcn_add.pyView file
path = skills/uipm-ui-styling/scripts/tests/test_shadcn_add.py kind = payload_in_excluded_dir sizeBytes = 10186 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

skills/uipm-ui-styling/scripts/tests/test_shadcn_add.pyView on unpkg
skills/graphify/skill-devin.mdView file
678patternName = generic_password severity = medium line = 678 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-devin.md

skills/graphify/skill-devin.mdView on unpkg · L678
skills/graphify/skill-aider.mdView file
561patternName = generic_password severity = medium line = 561 matchedText = result =...ies)
Medium
Secret Pattern

Hardcoded password in skills/graphify/skill-aider.md

skills/graphify/skill-aider.mdView on unpkg · L561

Findings

7 Critical7 High8 Medium8 Low
CriticalCritical Secretskills/technical/api-builder/SKILL.md
CriticalCredential Exfiltrationdist/cli.js
CriticalCommand Output Exfiltrationdist/cli.js
CriticalReverse Shelldist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
CriticalPrevious Version Dangerous Deltadist/cli.js
CriticalSecret Patternskills/technical/api-builder/SKILL.md
HighChild Processdist/cli.js
HighShelldist/cli.js
HighCloud Metadata Accessdist/cli.js
HighCross File Remote Execution Contextskills/impeccable/scripts/live-server.mjs
HighRuntime Package Installskills/craft/vercel-optimize/lib/vercel.mjs
HighShips High Entropy Blobskills/theme-factory/theme-showcase.pdf
HighPayload In Excluded Dirskills/uipm-ui-styling/scripts/tests/test_shadcn_add.py
MediumDynamic Requireskills/craft/uipm-design-system/scripts/generate-tokens.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumShips Build Helperskills/model-usage/scripts/test_model_usage.py
MediumStructural Risk Force Deep Review
MediumSecret Patternskills/graphify/skill-devin.md
MediumSecret Patternskills/graphify/skill-aider.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptoskills/impeccable/scripts/live-svelte-component.mjs
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License