registry  /  @parall/agent-core  /  1.43.0

@parall/agent-core@1.43.0

Shared agent runtime orchestration helpers for Parall

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No malicious install-time attack surface is established. At runtime, a granted first-party channel capability can create a package-controlled CLI shim and broker a short-lived token to the fixed vendor CLI.

Static reason
No blocking static signals were detected.
Trigger
A host application calls capability materialization for a granted channel, then invokes the generated `lark-cli` shim.
Impact
Creates a persistent agent-runtime extension point with vendor-CLI authority, but not an unconsented npm lifecycle mutation or arbitrary payload execution.
Mechanism
Capability-gated CLI shim materialization and short-lived token brokered subprocess execution.
Rationale
Source inspection found a guarded agent-extension and credential-brokering capability, but no lifecycle hook, stealthy persistence, exfiltration path, arbitrary execution target, or concrete malicious chain. Warn because the runtime extension materially brokers privileged vendor CLI access.
Evidence
package.jsonsrc/channel-capability.tssrc/bin/channel-exec.tssrc/channel-token.tssrc/internal/attachment-input.tssrc/index.ts

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/channel-capability.ts` materializes executable `lark-cli` pointer shims in a runtime state directory.
  • `src/bin/channel-exec.ts` mints a channel token and launches a fixed vendor CLI with inherited stdio.
  • `src/internal/attachment-input.ts` fetches user-provided HTTP(S) attachment URLs into a local attachment root.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, `prepare`, or `bin` declaration.
  • No import-time execution is exposed by `src/index.ts`; the executable entry runs only as a program.
  • The channel shim is capability-gated and fixes the target binary to `lark-cli`, preventing arbitrary token-to-program redirection.
  • `src/channel-token.ts` sends token requests only to the configured `PRLL_API_URL`; no hard-coded third-party endpoint was found.
  • Attachment downloads reject non-HTTP(S) schemes, enforce limits, and constrain writes to the attachment root.
  • No eval/vm usage, arbitrary remote-code loading, credential exfiltration, or destructive broad filesystem behavior was found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 54 file(s), 602 KB of source

Source & flagged code

3 flagged · loading source
src/channel-capability.tsView file
Published source reference
Medium
Ai Review Evidence

`src/channel-capability.ts` materializes executable `lark-cli` pointer shims in a runtime state directory.

src/channel-capability.tsView on unpkg
src/bin/channel-exec.tsView file
Published source reference
Medium
Ai Review Evidence

`src/bin/channel-exec.ts` mints a channel token and launches a fixed vendor CLI with inherited stdio.

src/bin/channel-exec.tsView on unpkg
src/internal/attachment-input.tsView file
Published source reference
Medium
Ai Review Evidence

`src/internal/attachment-input.ts` fetches user-provided HTTP(S) attachment URLs into a local attachment root.

src/internal/attachment-input.tsView on unpkg

Findings

5 Medium3 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencesrc/channel-capability.ts
MediumAi Review Evidencesrc/bin/channel-exec.ts
MediumAi Review Evidencesrc/internal/attachment-input.ts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings