registry  /  @oriro/orirocli  /  0.1.7

@oriro/orirocli@0.1.7

ORIRO — a free, on-device-friendly terminal AI agent. Built on the Pi agent harness (used as a library).

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface is established. The package is an AI-agent CLI with user-invoked network/model/channel features and local ~/.oriro state, but no install-time execution or hidden exfiltration behavior was found.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the oriro/orirocli bin or explicit subcommands.
Impact
No confirmed unauthorized credential theft, persistence, destructive action, or exfiltration.
Mechanism
user-invoked AI agent CLI with Guardian safety checks and local config storage
Rationale
Static inspection shows scanner hits are mostly defensive detection patterns, docs/examples, or package-aligned user-invoked agent features. There is no concrete unconsented lifecycle execution, credential harvesting, exfiltration, persistence, or staged payload behavior.
Evidence
package.jsondist/cli.jsskills/craft/vercel-optimize/lib/vercel.mjsskills/technical/api-builder/SKILL.md~/.oriro/language.json~/.oriro/guardian/config.json~/.oriro/channels.json~/.oriro/scribe/tmp/oriro-avatar-*.wav
Network endpoints6
oriro.aitext.pollinations.ai/openaiapi.llm7.io/v1openrouter.ai/api/v1generativelanguage.googleapis.com/v1betadiscord.com/api/v10/users/@me

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall lifecycle; only prepublishOnly for publisher-side build/test/smoke.
    • dist/cli.js scanner reverse-shell/exfil hits are Guardian regex rules that block dangerous commands, not active payloads.
    • dist/cli.js bin starts an interactive ORIRO CLI and registers user-invoked commands; no import-time exfiltration found.
    • Network calls are package-aligned: LLM router probes/chat, avatar fetch, and Telegram/Discord/WhatsApp channel features after user commands.
    • Local writes are user configuration under ~/.oriro and temp avatar WAV files; no persistence or shell startup modification found.
    • skills/technical/api-builder/SKILL.md contains illustrative API/JWT examples, not live credentials or executable code.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStringsTelemetryUrlStrings
    Manifest
    NoLicense
    scanned 102 file(s), 863 KB of source, external domains: ai-gateway.vercel.sh, aihorde.net, airtable.com, aistudio.google.com, anyscale.com, api.ai21.com, api.assemblyai.com, api.berget.ai, api.cerebras.ai, api.cloudflare.com, api.cohere.ai, api.deepseek.com, api.endpoints.anyscale.com, api.fireworks.ai, api.groq.com, api.hyperbolic.xyz, api.imgflip.com, api.inference.net, api.llm7.io, api.mistral.ai, api.moonshot.ai, api.nlpcloud.io, api.novita.ai, api.portkey.ai, api.replicate.com, api.sambanova.ai, api.scaleway.ai, api.siliconflow.cn, api.slack.com, api.stability.ai, api.studio.nebius.ai, api.together.ai, api.together.xyz, api.upstage.ai, api.wavespeed.ai, api.x.ai, api.z.ai, app.hyperbolic.xyz, assemblyai.com, baseten.co, berget.ai, build.nvidia.com, chutes.ai, cloud.cerebras.ai, cloud.google.com, cloud.sambanova.ai, console.groq.com, console.mistral.ai, console.scaleway.com, console.upstage.ai

    Source & flagged code

    12 flagged · loading source
    skills/technical/api-builder/SKILL.mdView file
    94patternName = supabase_service_key severity = critical line = 94 matchedText = eyJhbGci...sw5c
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    skills/technical/api-builder/SKILL.mdView on unpkg · L94
    94patternName = supabase_service_key severity = critical line = 94 matchedText = eyJhbGci...sw5c
    Critical
    Secret Pattern

    Supabase service role key (JWT) in skills/technical/api-builder/SKILL.md

    skills/technical/api-builder/SKILL.mdView on unpkg · L94
    dist/cli.jsView file
    8import { createInterface as createInterface5 } from "readline/promises"; L9: import { stdin as stdin5, stdout as stdout6 } from "process"; L10: ... L202: function oriroDir() { L203: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L204: } ... L214: try { L215: return JSON.parse(readFileSync(file(), "utf8")); L216: } catch { ... L282: } L283: stdout.write(dim("\nBye.\n")); L284: process.exit(0);
    Critical
    Credential Exfiltration

    Source appears to send environment or credential material to an external endpoint.

    dist/cli.jsView on unpkg · L8
    8import { createInterface as createInterface5 } from "readline/promises"; L9: import { stdin as stdin5, stdout as stdout6 } from "process"; L10: ... L202: function oriroDir() { L203: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L204: } ... L214: try { L215: return JSON.parse(readFileSync(file(), "utf8")); L216: } catch { ... L282: } L283: stdout.write(dim("\nBye.\n")); L284: process.exit(0);
    Critical
    Command Output Exfiltration

    Source executes local commands and sends command output to an external endpoint.

    dist/cli.jsView on unpkg · L8
    8import { createInterface as createInterface5 } from "readline/promises"; L9: import { stdin as stdin5, stdout as stdout6 } from "process"; L10: ... L202: function oriroDir() { L203: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L204: } ... L214: try { L215: return JSON.parse(readFileSync(file(), "utf8")); L216: } catch { ... L282: } L283: stdout.write(dim("\nBye.\n")); L284: process.exit(0);
    Critical
    Reverse Shell

    Source matches reverse-shell style process and socket wiring.

    dist/cli.jsView on unpkg · L8
    8Trigger-reachable chain: manifest.bin -> dist/cli.js L8: import { createInterface as createInterface5 } from "readline/promises"; L9: import { stdin as stdin5, stdout as stdout6 } from "process"; L10: ... L202: function oriroDir() { L203: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L204: } ... L214: try { L215: return JSON.parse(readFileSync(file(), "utf8")); L216: } catch { ... L282: } L283: stdout.write(dim("\nBye.\n")); L284: process.exit(0);
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/cli.jsView on unpkg · L8
    381["ioc:obf_loader", /eval\(\s*(atob|Buffer\.from)\(/i], L382: ["ioc:cp_loader", /child_process[\s\S]{0,40}(atob|fromCharCode)/i] L383: ];
    High
    Child Process

    Package source references child process execution.

    dist/cli.jsView on unpkg · L381
    526new RegExp(`\\b(bash|sh|zsh|ksh|eval)\\b[^\\n]*\\$\\(\\s*${FETCH}\\b`, "i"), L527: // bash -c "$(curl)" L528: new RegExp(`\\$\\(\\s*${FETCH}\\b[^)]*\\)`, "i"),
    High
    Shell

    Package source references shell execution.

    dist/cli.jsView on unpkg · L526
    8import { createInterface as createInterface5 } from "readline/promises"; L9: import { stdin as stdin5, stdout as stdout6 } from "process"; L10: ... L202: function oriroDir() { L203: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L204: } ... L214: try { L215: return JSON.parse(readFileSync(file(), "utf8")); L216: } catch { ... L282: } L283: stdout.write(dim("\nBye.\n")); L284: process.exit(0);
    Medium
    Install Persistence

    Source writes installer persistence such as shell profile or service configuration.

    dist/cli.jsView on unpkg · L8
    skills/craft/vercel-optimize/lib/vercel.mjsView file
    15try { L16: const { stdout } = await exec("vercel", ["--version"]); L17: raw = stdout.trim(); ... L29: throw new Error( L30: `VERCEL_CLI_TOO_OLD: have ${v.join(".")}, need >= ${MIN_CLI_VERSION.join(".")}. Upgrade with \`npm i -g vercel@latest\`.`, L31: );
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    skills/craft/vercel-optimize/lib/vercel.mjsView on unpkg · L15
    skills/model-usage/scripts/test_model_usage.pyView file
    path = skills/model-usage/scripts/test_model_usage.py kind = build_helper sizeBytes = 1310 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    skills/model-usage/scripts/test_model_usage.pyView on unpkg
    skills/theme-factory/theme-showcase.pdfView file
    path = skills/theme-factory/theme-showcase.pdf kind = high_entropy_blob sizeBytes = 124310 magicHex = [redacted]
    High
    Ships High Entropy Blob

    Package ships high-entropy non-source blobs.

    skills/theme-factory/theme-showcase.pdfView on unpkg

    Findings

    6 Critical4 High5 Medium7 Low
    CriticalCritical Secretskills/technical/api-builder/SKILL.md
    CriticalCredential Exfiltrationdist/cli.js
    CriticalCommand Output Exfiltrationdist/cli.js
    CriticalReverse Shelldist/cli.js
    CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
    CriticalSecret Patternskills/technical/api-builder/SKILL.md
    HighChild Processdist/cli.js
    HighShelldist/cli.js
    HighRuntime Package Installskills/craft/vercel-optimize/lib/vercel.mjs
    HighShips High Entropy Blobskills/theme-factory/theme-showcase.pdf
    MediumNetwork
    MediumEnvironment Vars
    MediumInstall Persistencedist/cli.js
    MediumShips Build Helperskills/model-usage/scripts/test_model_usage.py
    MediumStructural Risk Force Deep Review
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings
    LowNo License