registry  /  @oxgeneral/orch  /  1.0.26

@oxgeneral/orch@1.0.26

AI agent runtime — orchestrate Claude, Cursor, Codex & OpenCode as one team. Multi-agent task automation with state machine, auto-retry, inter-agent messaging, goals and teams. Zero-config CLI + programmatic API.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time script mutates a foreign AI-agent control surface by installing a Claude Code skill in the user's home directory. This gives the package persistent Claude skill instructions outside the package namespace without explicit user invocation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of @oxgeneral/orch@1.0.26
Impact
Claude Code may load package-supplied /orch instructions and tool permissions from ~/.claude/skills/orch/SKILL.md after installation.
Mechanism
unconsented lifecycle write to Claude Code skill directory
Policy narrative
During npm postinstall, scripts/postinstall.cjs copies the package's Claude Code skill into ~/.claude/skills/orch/SKILL.md and silently patches Ink dependency files. The installed skill advertises Bash, Write, Edit, and Agent tools and directs Claude to translate user requests into orch CLI commands. This is lifecycle-triggered mutation of a broad foreign AI-agent control surface.
Rationale
The package performs an unconsented install-time write into ~/.claude/skills, a foreign AI-agent control surface, which matches the blockable AI-agent control hijack policy even though the skill content is product-aligned. No exfiltration was needed to establish the attack surface.
Evidence
package.jsonscripts/postinstall.cjsskills/orch/SKILL.mddist/cli.jsdist/chunk-DEHFYICU.jsdist/chunk-YKUO5PD4.js~/.claude/skills/orch/SKILL.mdnode_modules/ink/build/wrap-text.jsnode_modules/ink/build/measure-text.jsnode_modules/ink/build/output.js

Decision evidence

public snapshot
AI called this Malicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/postinstall.cjs || true
  • scripts/postinstall.cjs runs at install time and writes package skill to ~/.claude/skills/orch/SKILL.md
  • skills/orch/SKILL.md registers a Claude Code skill with Bash/Write/Edit/Agent tools and instructs Claude to run orch commands
  • scripts/postinstall.cjs also rewrites installed dependency files under node_modules/ink/build
  • dist adapters invoke AI CLIs with permission bypass flags such as --dangerously-skip-permissions
Evidence against
  • No credential harvesting or secret exfiltration found in inspected postinstall path
  • Postinstall network activity not observed; GitHub URL is banner/repository text
  • The planted skill is product-aligned for orch rather than a hidden unrelated payload
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 96 file(s), 643 KB of source, external domains: github.com

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.cjs || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.cjs || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/chunk-6DWHQPTE.jsView file
9} L10: require(kind) { L11: const adapter = this.adapters.get(kind);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/chunk-6DWHQPTE.jsView on unpkg · L9
scripts/postinstall.cjsView file
1Install-time AI-agent control hijack evidence: L7: L8: const { readFileSync, writeFileSync, existsSync, mkdirSync } = require('node:fs'); L9: const { join } = require('node:path'); ... L22: s = s.replace('cache[cacheKey] = wrappedText;', `cache[cacheKey] = wrappedText;\n _lruKeys.push(cacheKey);\n if (_lruKeys.length > _MAX) { delete cache[_lruKeys.shift()]; }`)... L23: writeFileSync(wrapPath, s); L24: } ... L32: s = s.replace('cache.set(text, dimensions);', `cache.set(text, dimensions);\n if (cache.size > _MAX_MT) { const first = cache.keys().next().value; cache.delete(first); }`); L33: writeFileSync(measurePath, s); L34: } ... L46: s = s.replace('this.blockWidths.set(text, cached);', `this.blockWidths.set(text, cached);${lru('blockWidths')}`); L47: writeFileSync(outputPath, s); L48: } Payload evidence from skills/orch/SKILL.md: L1: --- L2: name: orch
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.cjsView on unpkg · L1
13Manifest entrypoint (scripts.postinstall) carries capability families absent from dist/build output: environment+network L13: try { L14: const inkBuild = join(__dirname, '..', 'node_modules', 'ink', 'build'); L15: const MAX = 2000; ... L69: // Skip banner in CI or non-interactive environments L70: if (process.env.CI || !process.stderr.isTTY) process.exit(0); L71: ... L76: L77: process.stderr.write(` L78: ${green('✓')} ${bold('orchestry')} installed ... L82: ${sk[redacted] ? ` ${dim('or use')} ${bold('/orch')} ${dim('in Claude Code')}\n` : ''} L83: ${dim('⭐ Like it? Star us on GitHub: https://github.com/oxgeneral/ORCH')} L84:
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

scripts/postinstall.cjsView on unpkg · L13
scripts/release.shView file
path = scripts/release.sh kind = build_helper sizeBytes = 929 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/release.shView on unpkg

Findings

1 Critical2 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/postinstall.cjs
HighInstall Time Lifecycle Scriptspackage.json
HighEntrypoint Build Divergencescripts/postinstall.cjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/chunk-6DWHQPTE.js
MediumEnvironment Vars
MediumShips Build Helperscripts/release.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings