registry  /  @phamvuhoang/otto-core  /  0.33.1

@phamvuhoang/otto-core@0.33.1

Claude Code AFK orchestration: iteration loop, native-sandbox runner, template renderer.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface. User-invoked orchestration can run configured AI CLIs and persist Otto-owned workspace configuration under `.otto`.

Static reason
No blocking static signals were detected.
Trigger
Explicit Otto runtime, Linear, Headroom, skills, or extensions command.
Impact
Configured commands may access the selected workspace and services; no automatic installation-time action was found.
Mechanism
User-directed AI-agent orchestration and first-party `.otto` extension setup.
Rationale
Source inspection found legitimate but powerful explicit orchestration and first-party extension setup, not concrete malicious behavior. Mark as warn for agent-extension lifecycle risk rather than block.
Evidence
package.jsondist/index.jsdist/runner.jsdist/extensions-cli.jsdist/external-skills.jsdist/linear-api.jsdist/headroom-adapter.jsdist/extension-profiles.js.otto/config.json.otto/policy.json.otto/skills/sources.json.otto/skills.lock.json
Network endpoints3
api.linear.app/graphqlhuggingface.cocdn-lfs.huggingface.co

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/runner.js` explicitly spawns Claude/Codex CLIs during user-invoked stages.
  • `dist/extensions-cli.js` writes `.otto` config, policy, tool, and skill-source files on `otto-extensions init`.
  • `dist/linear-api.js` reads Linear credentials and calls `https://api.linear.app/graphql` when Linear commands run.
  • `dist/headroom-adapter.js` can invoke Python/Headroom; online model download is user/config controlled.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; only publish-time build script.
  • `dist/index.js` is exports only; inspection found no import-time execution.
  • Subprocesses use argument arrays and explicit agent/tool commands, not hidden shell payloads.
  • `dist/external-skills.js` syncs only local sources in this build and imports skills as unverified/inert.
  • No credential harvesting or package-controlled exfiltration endpoint was found.
  • No writes to foreign AI-agent directories such as `.claude` or `.codex` were found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 95 file(s), 669 KB of source, external domains: api.linear.app, github.com, graph.threads.net

Source & flagged code

4 flagged · loading source
dist/runner.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/runner.js` explicitly spawns Claude/Codex CLIs during user-invoked stages.

dist/runner.jsView on unpkg
dist/extensions-cli.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/extensions-cli.js` writes `.otto` config, policy, tool, and skill-source files on `otto-extensions init`.

dist/extensions-cli.jsView on unpkg
dist/linear-api.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/linear-api.js` reads Linear credentials and calls `https://api.linear.app/graphql` when Linear commands run.

dist/linear-api.jsView on unpkg
dist/headroom-adapter.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/headroom-adapter.js` can invoke Python/Headroom; online model download is user/config controlled.

dist/headroom-adapter.jsView on unpkg

Findings

5 Medium5 Low
MediumEnvironment Vars
MediumAi Review Evidencedist/runner.js
MediumAi Review Evidencedist/extensions-cli.js
MediumAi Review Evidencedist/linear-api.js
MediumAi Review Evidencedist/headroom-adapter.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings