registry  /  @ottocode/server  /  0.1.346

@ottocode/server@0.1.346

HTTP API server for ottocode

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Runtime HTTP server exposes high-impact local project operations, including terminal creation and agent configuration updates. No install-time attack surface or unconsented foreign AI-agent control-surface mutation was found.

Static reason
No blocking static signals were detected.
Trigger
A user or reachable client sends requests to the running server endpoints.
Impact
A client with route access can invoke commands or modify Otto-managed agent settings; broad reflected CORS increases exposure if the local server is reachable from an untrusted browser origin.
Mechanism
HTTP-controlled terminal execution and first-party Otto agent-config writes.
Rationale
Source inspection finds no concrete malicious chain or lifecycle execution, but does find a first-party AI-agent management surface and command-execution API with permissive CORS behavior. This is a real dangerous capability/risk, warranting warning rather than a malicious block.
Evidence
package.jsonsrc/index.tssrc/routes/terminals/service.tssrc/runtime/agent/config/paths.tssrc/runtime/agent/config/upsert.tssrc/tunnel-auth.ts
Network endpoints9
api.ottorouter.orgapi.share.ottocode.ioapi.github.comapi.githubcopilot.comapi.anthropic.comchatgpt.comcli-chat-proxy.grok.comapi.kimi.comollama.com

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/routes/terminals/service.ts` creates user-requested shell/command terminals.
  • `src/runtime/agent/config/paths.ts` writes Otto local or global agent configuration and prompt files.
  • `src/index.ts` reflects arbitrary CORS origins and enables private-network access headers.
  • `src/index.ts` registers file, git, terminal, MCP, and agent-related server routes at runtime.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle hook.
  • No obfuscated payload, eval/vm execution, binary loader, or install-time network activity was found.
  • `src/tunnel-auth.ts` requires daemon, owner-session, or share authorization for non-loopback API access.
  • Observed remote endpoints are named product/provider APIs used by explicit service features.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 409 file(s), 1.34 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, api.githubcopilot.com, api.kimi.com, api.ottorouter.org, api.share.ottocode.io, chatgpt.com, cli-chat-proxy.grok.com, huggingface.co, ollama.com

Source & flagged code

4 flagged · loading source
src/routes/terminals/service.tsView file
Published source reference
Medium
Ai Review Evidence

`src/routes/terminals/service.ts` creates user-requested shell/command terminals.

src/routes/terminals/service.tsView on unpkg
src/runtime/agent/config/paths.tsView file
Published source reference
Medium
Ai Review Evidence

`src/runtime/agent/config/paths.ts` writes Otto local or global agent configuration and prompt files.

src/runtime/agent/config/paths.tsView on unpkg
src/index.tsView file
Published source reference
Medium
Ai Review Evidence

`src/index.ts` reflects arbitrary CORS origins and enables private-network access headers.

src/index.tsView on unpkg
Published source reference
Medium
Ai Review Evidence

`src/index.ts` registers file, git, terminal, MCP, and agent-related server routes at runtime.

src/index.tsView on unpkg

Findings

6 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencesrc/routes/terminals/service.ts
MediumAi Review Evidencesrc/runtime/agent/config/paths.ts
MediumAi Review Evidencesrc/index.ts
MediumAi Review Evidencesrc/index.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License