registry  /  @permission-slip/cli  /  0.1.24

@permission-slip/cli@0.1.24

Agent-facing CLI for Permission Slip — register, verify, and interact with Permission Slip servers

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Runtime behavior is a user-invoked agent approval CLI that stores its own config/registration and SSH-style key files, then talks to a user-configured Permission Slip server.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs permission-slip CLI commands
Impact
No install-time execution, credential harvesting, exfiltration, persistence, or foreign AI-agent control-surface mutation found.
Mechanism
user-invoked API client, local config/key management, optional watcher notification
Rationale
Static source inspection shows package-aligned, user-invoked approval CLI behavior with no lifecycle delivery into foreign agent surfaces and no hardcoded exfiltration endpoint. The scanner secret finding is explained by generated local key-management code, not an embedded credential.
Evidence
package.jsondist/index.jsdist/api/client.jsdist/config/serverUrl.jsdist/config/store.jsdist/auth/keys.jsdist/commands/watch.jsdist/approvals/watchLoop.jsdist/approvals/notifyCommand.js~/.permission-slip/config.json~/.permission-slip/registrations.json~/.ssh/permission_slip_agent~/.ssh/permission_slip_agent.pub

Decision evidence

public snapshot
AI called this Clean at 91.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hook; prepublishOnly only runs build before publishing
    • bin dist/index.js only registers commander subcommands and prints changelog notice
    • server URL has no default host; resolved from --server, PS_SERVER, or ~/.permission-slip/config.json
    • dist/api/client.js sends signed requests only to user-configured http(s) server paths
    • dist/auth/keys.js generates/reads a package-specific Ed25519 key, not a hardcoded secret
    • OpenClaw notify shell execution is user-invoked via watch/--notify-cmd and package-aligned
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
    Supply chain
    HighEntropyStrings
    ManifestNo manifest risk signals triggered.
    scanned 31 file(s), 91.3 KB of source

    Source & flagged code

    8 flagged · loading source
    dist/auth/keys.jsView file
    41patternName = private_key_rsa severity = critical line = 41 matchedText = * Suppor...vely
    Critical
    Critical Secret

    Package contains a critical-looking secret pattern.

    dist/auth/keys.jsView on unpkg · L41
    41patternName = private_key_rsa severity = critical line = 41 matchedText = * Suppor...vely
    Critical
    Secret Pattern

    RSA private key in dist/auth/keys.js

    dist/auth/keys.jsView on unpkg · L41
    42patternName = private_key_openssh severity = critical line = 42 matchedText = * unders...--`,
    Critical
    Secret Pattern

    OpenSSH private key in dist/auth/keys.js

    dist/auth/keys.jsView on unpkg · L42
    62patternName = private_key_openssh severity = critical line = 62 matchedText = .replace... "")
    Critical
    Secret Pattern

    OpenSSH private key in dist/auth/keys.js

    dist/auth/keys.jsView on unpkg · L62
    161patternName = private_key_rsa severity = critical line = 161 matchedText = * NOTE: ... the
    Critical
    Secret Pattern

    RSA private key in dist/auth/keys.js

    dist/auth/keys.jsView on unpkg · L161
    162patternName = private_key_openssh severity = critical line = 162 matchedText = * OpenSS...de's
    Critical
    Secret Pattern

    OpenSSH private key in dist/auth/keys.js

    dist/auth/keys.jsView on unpkg · L162
    dist/auth/keys.d.tsView file
    28patternName = private_key_rsa severity = critical line = 28 matchedText = * Suppor...vely
    Critical
    Secret Pattern

    RSA private key in dist/auth/keys.d.ts

    dist/auth/keys.d.tsView on unpkg · L28
    29patternName = private_key_openssh severity = critical line = 29 matchedText = * unders...--`,
    Critical
    Secret Pattern

    OpenSSH private key in dist/auth/keys.d.ts

    dist/auth/keys.d.tsView on unpkg · L29

    Findings

    8 Critical2 Medium4 Low
    CriticalCritical Secretdist/auth/keys.js
    CriticalSecret Patterndist/auth/keys.js
    CriticalSecret Patterndist/auth/keys.js
    CriticalSecret Patterndist/auth/keys.js
    CriticalSecret Patterndist/auth/keys.js
    CriticalSecret Patterndist/auth/keys.js
    CriticalSecret Patterndist/auth/keys.d.ts
    CriticalSecret Patterndist/auth/keys.d.ts
    MediumNetwork
    MediumEnvironment Vars
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings