registry  /  @ranimontagna/agent-toolkit  /  0.1.25

@ranimontagna/agent-toolkit@0.1.25

Personal AI agent toolkit installer for Claude Code, Codex CLI, OpenCode, Gemini CLI, Antigravity and graph-aware workflows.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs agent-toolkit/setup-agent-toolkit CLI with selected install flags or interactive confirmation.
Impact
Can modify local/global AI agent skill/plugin surfaces and install external tools, but not during npm install and not stealthily based on inspected source.
Mechanism
CLI-driven installation of plugins, skills, external tools, and runtime CLIs with pinned provenance checks.
Rationale
This is not malicious by source inspection: risky primitives are aligned with the advertised installer and are activated by explicit CLI use, with no npm install-time foreign agent control mutation. Because it intentionally mutates AI-agent extension surfaces and installs external capabilities, a warning is appropriate rather than a publish block.
Evidence
package.jsondist/bin/agent-toolkit.jsdist/src/main.jsdist/src/system.jsdist/src/skills.jsdist/src/manifest.jsdist/src/provenance.jsdist/src/runtimes.jsdist/src/installers/rtk.jsdist/src/installers/superpowers.jstools.lock.jsonsetup-agent-toolkit.sh~/.local/bin/rtk~/.claude/skills~/.codex/skills~/.config/opencode/skills~/.gemini/skills~/.gemini/antigravity-cli/skills~/.agents/skills.agent-toolkit/install-manifest.json~/.agent-toolkit/install-manifest.json
Network endpoints9
api.github.com/repos/rtk-ai/rtk/releases/tags/v0.43.0github.com/JuliusBrussee/caveman.gitgithub.com/shadcn/improve.gitgithub.com/pbakaus/impeccable.gitgithub.com/Leonxlnx/taste-skill.gitgithub.com/millionco/react-doctor.gitpypi.org/pypi/graphifyy/jsonantigravity.google/cli/install.shgithub.com/obra/superpowers

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/src/skills.js copies bundled skills into ~/.claude, ~/.codex, opencode, ~/.gemini, Antigravity, or local project skill dirs when CLI is run.
  • dist/src/installers/superpowers.js invokes claude/codex/gemini plugin or extension install commands.
  • dist/src/installers/rtk.js downloads a GitHub release asset, verifies SHA-256, installs an rtk binary, then runs rtk init --global --auto-patch.
  • dist/src/runtimes.js can pipe the official Antigravity installer URL to bash, but only under --install-missing-clis/user-selected runtime flow.
Evidence against
  • package.json has no preinstall/install/postinstall hook; npm install does not run the agent config mutation path.
  • bin entrypoint only calls runInstaller; setup-agent-toolkit.sh is a wrapper around node dist/bin/agent-toolkit.js.
  • External tool sources are pinned in tools.lock.json and provenance checks reject mutable or identity-changing overrides unless explicitly allowed.
  • No credential harvesting, secret exfiltration, destructive filesystem sweep, obfuscation, eval/vm, or import-time execution found in inspected source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 28 file(s), 125 KB of source, external domains: antigravity.google, api.github.com, docs.npmjs.com, github.com, pypi.org

Source & flagged code

6 flagged · loading source
dist/src/system.jsView file
1import { spawnSync } from "node:child_process"; L2: import fs from "node:fs";
High
Child Process

Package source references child process execution.

dist/src/system.jsView on unpkg · L1
32function escapeCmdArg(arg) { L33: // cmd.exe quoting in the cross-spawn style: double backslashes that precede L34: // a quote, double trailing backslashes, escape quotes, wrap in quotes.
High
Shell

Package source references shell execution.

dist/src/system.jsView on unpkg · L32
1import { spawnSync } from "node:child_process"; L2: import fs from "node:fs"; L3: import http from "node:http"; L4: import https from "node:https"; ... L8: export function findCommand(command) { L9: const pathValue = process.env.PATH || ""; L10: const pathExt = process.platform === "win32"
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/system.jsView on unpkg · L1
matchType = previous_version_dangerous_delta matchedPackage = @ranimontagna/agent-toolkit@0.1.24 matchedIdentity = npm:[redacted]:0.1.24 similarity = 0.857 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/system.jsView on unpkg
setup-agent-toolkit.shView file
path = setup-agent-toolkit.sh kind = build_helper sizeBytes = 561 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

setup-agent-toolkit.shView on unpkg
skills/backend/fastify-best-practices/rules/testing.mdView file
82patternName = generic_password severity = medium line = 82 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in skills/backend/fastify-best-practices/rules/testing.md

skills/backend/fastify-best-practices/rules/testing.mdView on unpkg · L82

Findings

4 High5 Medium5 Low
HighChild Processdist/src/system.js
HighShelldist/src/system.js
HighSame File Env Network Executiondist/src/system.js
HighPrevious Version Dangerous Deltadist/src/system.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpersetup-agent-toolkit.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternskills/backend/fastify-best-practices/rules/testing.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings