registry  /  @ottocode/server  /  0.1.333

@ottocode/server@0.1.333

HTTP API server for ottocode

AI Security Review

scanned 3h ago · by lpm-firewall-ai

A browser-originated request can reach a permissively CORS-enabled server API. The terminal route can create arbitrary processes in the selected project runtime without inspected route-level authentication.

Static reason
No blocking static signals were detected.
Trigger
A user runs or embeds the server, then an untrusted web origin sends requests to its reachable HTTP API.
Impact
Remote web content may execute commands with the server user's project permissions.
Mechanism
Reflected permissive CORS exposes an unauthenticated terminal-process creation endpoint.
Rationale
The package is not malicious by static inspection, but its default CORS policy combined with unauthenticated terminal creation is a concrete critical runtime risk. Flag it for warning rather than block because there is no lifecycle abuse, stealth persistence, or exfiltration chain.
Evidence
package.jsonsrc/index.tssrc/routes/terminals.tssrc/routes/terminals/service.tssrc/routes/project-context.tssrc/routes/root.tssrc/tools/adapter/secure-shell.ts

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `src/index.ts` reflects every Origin, enables credentials, and sets private-network access.
  • `src/routes/terminals/service.ts` accepts request-supplied commands and starts project terminal processes.
  • `src/routes/project-context.ts` accepts project selection from request query/headers.
  • The exposed terminal API has no route-level authorization in inspected source.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • Importing `src/index.ts` registers HTTP routes; it does not execute shell commands.
  • No source evidence of covert credential harvesting or unsolicited exfiltration.
  • Observed provider/share requests are feature-aligned runtime API calls.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 398 file(s), 1.24 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, api.githubcopilot.com, api.kimi.com, api.ottorouter.org, api.share.ottocode.io, chatgpt.com, cli-chat-proxy.grok.com, huggingface.co, ollama.com

Source & flagged code

4 flagged · loading source
src/index.tsView file
Published source reference
Medium
Ai Review Evidence

`src/index.ts` reflects every Origin, enables credentials, and sets private-network access.

src/index.tsView on unpkg
src/routes/terminals/service.tsView file
Published source reference
Medium
Ai Review Evidence

`src/routes/terminals/service.ts` accepts request-supplied commands and starts project terminal processes.

src/routes/terminals/service.tsView on unpkg
src/routes/project-context.tsView file
Published source reference
Medium
Ai Review Evidence

`src/routes/project-context.ts` accepts project selection from request query/headers.

src/routes/project-context.tsView on unpkg
package.jsonView file
Published source reference
Medium
Stripped Provenance Metadata

The exposed terminal API has no route-level authorization in inspected source.

package.jsonView on unpkg

Findings

6 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencesrc/index.ts
MediumAi Review Evidencesrc/routes/terminals/service.ts
MediumAi Review Evidencesrc/routes/project-context.ts
MediumStripped Provenance Metadatapackage.json
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License