registry  /  @ottocode/server  /  0.1.347

@ottocode/server@0.1.347

HTTP API server for ottocode

AI Security Review

scanned 3h ago · by lpm-firewall-ai

A hostile website may be able to call the unauthenticated loopback API because CORS reflects arbitrary origins with credentials and private-network access enabled. The API includes a user-command terminal creation route.

Static reason
No blocking static signals were detected.
Trigger
A browser visits an attacker-controlled origin while the Otto server is reachable on loopback.
Impact
Potential local command execution through the terminal API.
Mechanism
Permissive cross-origin access to an unauthenticated local command-execution API.
Rationale
The source contains a serious package runtime security flaw but no install-time, stealth, exfiltration, or payload behavior demonstrating malicious intent. Flag it as suspicious for remediation rather than block it as malware.
Evidence
src/index.tssrc/tunnel-auth.tssrc/routes/terminals.tssrc/routes/terminals/service.tspackage.jsonsrc/runtime/agent/config/paths.ts
Network endpoints2
localhost:<port>127.0.0.1:<port>

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `src/index.ts` reflects any CORS origin with credentials enabled.
  • `src/index.ts` sets `Access-Control-Allow-Private-Network: true`.
  • `src/tunnel-auth.ts` bypasses API authentication for loopback requests.
  • `src/routes/terminals.ts` exposes terminal creation; `src/routes/terminals/service.ts` passes requested command/args to the runtime terminal manager.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hooks.
  • No eval, Function, native payload, or install-time execution was found.
  • Agent config writes are explicit `/v1/config/agents` API actions and target Otto-owned `.otto` configuration paths.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 410 file(s), 1.34 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, api.githubcopilot.com, api.kimi.com, api.ottorouter.org, api.share.ottocode.io, chatgpt.com, cli-chat-proxy.grok.com, huggingface.co, ollama.com

Source & flagged code

4 flagged · loading source
src/index.tsView file
Published source reference
Medium
Ai Review Evidence

`src/index.ts` reflects any CORS origin with credentials enabled.

src/index.tsView on unpkg
Published source reference
Medium
Ai Review Evidence

`src/index.ts` sets `Access-Control-Allow-Private-Network: true`.

src/index.tsView on unpkg
src/tunnel-auth.tsView file
Published source reference
Medium
Ai Review Evidence

`src/tunnel-auth.ts` bypasses API authentication for loopback requests.

src/tunnel-auth.tsView on unpkg
src/routes/terminals.tsView file
Published source reference
Medium
Ai Review Evidence

`src/routes/terminals.ts` exposes terminal creation; `src/routes/terminals/service.ts` passes requested command/args to the runtime terminal manager.

src/routes/terminals.tsView on unpkg

Findings

6 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencesrc/index.ts
MediumAi Review Evidencesrc/index.ts
MediumAi Review Evidencesrc/tunnel-auth.ts
MediumAi Review Evidencesrc/routes/terminals.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License