registry  /  @phamvuhoang/otto-core  /  0.33.0

@phamvuhoang/otto-core@0.33.0

Claude Code AFK orchestration: iteration loop, native-sandbox runner, template renderer.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User invokes exported runner/CLI orchestration or `otto-extensions init`.
Impact
The invoked agent may modify the selected workspace; host mode can request unrestricted Codex sandbox access.
Mechanism
User-invoked AI-agent execution and `.otto` extension configuration.
Rationale
Source inspection found a real high-impact, user-invoked agent-execution capability but no automatic execution, credential theft, exfiltration, remote payload chain, or unconsented foreign AI-agent control-surface mutation.
Evidence
package.jsondist/index.jsdist/runner.jsdist/extensions-cli.jsdist/external-skills.jsdist/linear-api.jsdist/extension-profiles.js.otto/config.json.otto/policy.json.otto/tools/*.json.otto/skills/sources.json
Network endpoints1
api.linear.app/graphql

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/runner.js` explicitly launches Claude/Codex CLIs for user-requested stages.
  • Codex arguments include `--ask-for-approval never`; host mode maps to `danger-full-access`.
  • `dist/extensions-cli.js` can write workspace `.otto` configuration, policies, tools, and skill sources after `otto-extensions init`.
  • `dist/linear-api.js` sends a configured Linear token to `https://api.linear.app/graphql`.
Evidence against
  • `package.json` has no preinstall/install/postinstall hook; only `prepublishOnly`.
  • `dist/index.js` exports functions and has no import-time execution.
  • Process launches use fixed CLI programs and argument arrays rather than shell interpolation.
  • Extension writes are behind explicit CLI `init`; they target package-owned `.otto` workspace state.
  • Agent config checks in `dist/preflight.js` only test credential-file existence.
  • No source evidence of credential harvesting, stealth persistence, payload download, or exfiltration.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 93 file(s), 642 KB of source, external domains: api.linear.app, github.com, graph.threads.net

Source & flagged code

3 flagged · loading source
dist/runner.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/runner.js` explicitly launches Claude/Codex CLIs for user-requested stages.

dist/runner.jsView on unpkg
dist/extensions-cli.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/extensions-cli.js` can write workspace `.otto` configuration, policies, tools, and skill sources after `otto-extensions init`.

dist/extensions-cli.jsView on unpkg
dist/linear-api.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/linear-api.js` sends a configured Linear token to `https://api.linear.app/graphql`.

dist/linear-api.jsView on unpkg

Findings

5 Medium5 Low
MediumEnvironment Vars
MediumAi Review Evidencedist/runner.js
MediumAi Review Evidence
MediumAi Review Evidencedist/extensions-cli.js
MediumAi Review Evidencedist/linear-api.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings