registry  /  @oriro/orirocli  /  0.1.8

@oriro/orirocli@0.1.8

ORIRO — a free, on-device-friendly terminal AI agent. Built on the Pi agent harness (used as a library).

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. Risky primitives are part of an advertised AI-agent CLI and are user-invoked rather than install-time or hidden.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `oriro` or explicit subcommands such as channels/skills/router workflows.
Impact
No unconsented credential theft, persistence, destructive action, or hidden code execution identified.
Mechanism
Package-aligned AI agent, local config storage, and user-selected network integrations.
Rationale
The alarming scanner matches are mostly defensive IOC regexes and examples inside skills, while the actual package behavior is an advertised interactive AI CLI with no npm install-time execution. User-supplied tokens and network calls are local/user-invoked and package-aligned, so there is no concrete malicious behavior to block.
Evidence
package.jsondist/cli.jsREADME.mdskills/technical/api-builder/SKILL.mdskills/web-artifacts-builder/scripts/init-artifact.shskills/craft/vercel-optimize/lib/vercel.mjs~/.oriro/language.json~/.oriro/guardian.json~/.oriro/channels.json~/.oriro/connectors.json

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/cli.js exposes an AI-agent CLI with user-invoked tool/agent orchestration and bot-channel hosting.
  • dist/cli.js stores user-supplied Telegram/Discord tokens locally in ~/.oriro/channels.json when `oriro channels add` is run.
  • skills/web-artifacts-builder/scripts/init-artifact.sh contains user-invoked npm/pnpm install commands for project scaffolding.
Evidence against
  • package.json has no install/preinstall/postinstall hook; prepublishOnly is publisher-side only.
  • Scanner reverse-shell/exfil hits in dist/cli.js are Guardian regex rules that block those behaviors, not executed payloads.
  • Network use is package-aligned: LLM routers, avatar fetches, Discord/Telegram validation, and user-started channels.
  • Shell-outs found are bounded/user-facing helpers such as audio playback and Vercel CLI execFile, not hidden install-time execution.
  • skills/technical/api-builder/SKILL.md contains example API/JWT text, not a live secret used by code.
  • Entrypoint only registers commands and starts the REPL on explicit CLI execution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
NoLicense
scanned 102 file(s), 864 KB of source, external domains: ai-gateway.vercel.sh, aihorde.net, airtable.com, aistudio.google.com, anyscale.com, api.ai21.com, api.assemblyai.com, api.berget.ai, api.cerebras.ai, api.cloudflare.com, api.cohere.ai, api.deepseek.com, api.endpoints.anyscale.com, api.fireworks.ai, api.groq.com, api.hyperbolic.xyz, api.imgflip.com, api.inference.net, api.llm7.io, api.mistral.ai, api.moonshot.ai, api.nlpcloud.io, api.novita.ai, api.portkey.ai, api.replicate.com, api.sambanova.ai, api.scaleway.ai, api.siliconflow.cn, api.slack.com, api.stability.ai, api.studio.nebius.ai, api.together.ai, api.together.xyz, api.upstage.ai, api.wavespeed.ai, api.x.ai, api.z.ai, app.hyperbolic.xyz, assemblyai.com, baseten.co, berget.ai, build.nvidia.com, chutes.ai, cloud.cerebras.ai, cloud.google.com, cloud.sambanova.ai, console.groq.com, console.mistral.ai, console.scaleway.com, console.upstage.ai

Source & flagged code

12 flagged · loading source
skills/technical/api-builder/SKILL.mdView file
94patternName = supabase_service_key severity = critical line = 94 matchedText = eyJhbGci...sw5c
Critical
Critical Secret

Package contains a critical-looking secret pattern.

skills/technical/api-builder/SKILL.mdView on unpkg · L94
94patternName = supabase_service_key severity = critical line = 94 matchedText = eyJhbGci...sw5c
Critical
Secret Pattern

Supabase service role key (JWT) in skills/technical/api-builder/SKILL.md

skills/technical/api-builder/SKILL.mdView on unpkg · L94
dist/cli.jsView file
8import { createInterface as createInterface5 } from "readline/promises"; L9: import { stdin as stdin5, stdout as stdout6 } from "process"; L10: ... L202: function oriroDir() { L203: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L204: } ... L214: try { L215: return JSON.parse(readFileSync(file(), "utf8")); L216: } catch { ... L282: } L283: stdout.write(dim("\nBye.\n")); L284: process.exit(0);
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/cli.jsView on unpkg · L8
8import { createInterface as createInterface5 } from "readline/promises"; L9: import { stdin as stdin5, stdout as stdout6 } from "process"; L10: ... L202: function oriroDir() { L203: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L204: } ... L214: try { L215: return JSON.parse(readFileSync(file(), "utf8")); L216: } catch { ... L282: } L283: stdout.write(dim("\nBye.\n")); L284: process.exit(0);
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/cli.jsView on unpkg · L8
8import { createInterface as createInterface5 } from "readline/promises"; L9: import { stdin as stdin5, stdout as stdout6 } from "process"; L10: ... L202: function oriroDir() { L203: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L204: } ... L214: try { L215: return JSON.parse(readFileSync(file(), "utf8")); L216: } catch { ... L282: } L283: stdout.write(dim("\nBye.\n")); L284: process.exit(0);
Critical
Reverse Shell

Source matches reverse-shell style process and socket wiring.

dist/cli.jsView on unpkg · L8
8Trigger-reachable chain: manifest.bin -> dist/cli.js L8: import { createInterface as createInterface5 } from "readline/promises"; L9: import { stdin as stdin5, stdout as stdout6 } from "process"; L10: ... L202: function oriroDir() { L203: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L204: } ... L214: try { L215: return JSON.parse(readFileSync(file(), "utf8")); L216: } catch { ... L282: } L283: stdout.write(dim("\nBye.\n")); L284: process.exit(0);
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.jsView on unpkg · L8
381["ioc:obf_loader", /eval\(\s*(atob|Buffer\.from)\(/i], L382: ["ioc:cp_loader", /child_process[\s\S]{0,40}(atob|fromCharCode)/i] L383: ];
High
Child Process

Package source references child process execution.

dist/cli.jsView on unpkg · L381
526new RegExp(`\\b(bash|sh|zsh|ksh|eval)\\b[^\\n]*\\$\\(\\s*${FETCH}\\b`, "i"), L527: // bash -c "$(curl)" L528: new RegExp(`\\$\\(\\s*${FETCH}\\b[^)]*\\)`, "i"),
High
Shell

Package source references shell execution.

dist/cli.jsView on unpkg · L526
8import { createInterface as createInterface5 } from "readline/promises"; L9: import { stdin as stdin5, stdout as stdout6 } from "process"; L10: ... L202: function oriroDir() { L203: return process.env.ORIRO_STATE_DIR ?? join(homedir(), ".oriro"); L204: } ... L214: try { L215: return JSON.parse(readFileSync(file(), "utf8")); L216: } catch { ... L282: } L283: stdout.write(dim("\nBye.\n")); L284: process.exit(0);
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli.jsView on unpkg · L8
skills/craft/vercel-optimize/lib/vercel.mjsView file
15try { L16: const { stdout } = await exec("vercel", ["--version"]); L17: raw = stdout.trim(); ... L29: throw new Error( L30: `VERCEL_CLI_TOO_OLD: have ${v.join(".")}, need >= ${MIN_CLI_VERSION.join(".")}. Upgrade with \`npm i -g vercel@latest\`.`, L31: );
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

skills/craft/vercel-optimize/lib/vercel.mjsView on unpkg · L15
skills/model-usage/scripts/test_model_usage.pyView file
path = skills/model-usage/scripts/test_model_usage.py kind = build_helper sizeBytes = 1310 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

skills/model-usage/scripts/test_model_usage.pyView on unpkg
skills/theme-factory/theme-showcase.pdfView file
path = skills/theme-factory/theme-showcase.pdf kind = high_entropy_blob sizeBytes = 124310 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

skills/theme-factory/theme-showcase.pdfView on unpkg

Findings

6 Critical4 High5 Medium7 Low
CriticalCritical Secretskills/technical/api-builder/SKILL.md
CriticalCredential Exfiltrationdist/cli.js
CriticalCommand Output Exfiltrationdist/cli.js
CriticalReverse Shelldist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
CriticalSecret Patternskills/technical/api-builder/SKILL.md
HighChild Processdist/cli.js
HighShelldist/cli.js
HighRuntime Package Installskills/craft/vercel-optimize/lib/vercel.mjs
HighShips High Entropy Blobskills/theme-factory/theme-showcase.pdf
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli.js
MediumShips Build Helperskills/model-usage/scripts/test_model_usage.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License