registry  /  @ranimontagna/agent-toolkit  /  0.2.0

@ranimontagna/agent-toolkit@0.2.0

Personal AI agent toolkit installer for Claude Code, Codex CLI, OpenCode, Gemini CLI, Antigravity and graph-aware workflows.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `agent-toolkit`, `setup-agent-toolkit`, or the shipped shell wrapper and confirms/selects installation actions.
Impact
Can alter selected local or global AI-agent extension/skill environments and install third-party tooling.
Mechanism
User-invoked external CLI installation of AI-agent plugins, extensions, skills, and supporting tools.
Rationale
The package is an installer with explicit AI-agent configuration capabilities, warranting a warning under the control-surface policy. No concrete malicious install-time behavior or exfiltration was found.
Evidence
package.jsondist/bin/agent-toolkit.jsdist/src/main.jsdist/src/state.jsdist/src/installers/agent-skills.jsdist/src/installers/superpowers.jsdist/src/system.jstools.lock.jsonskills
Network endpoints3
api.github.comgithub.compypi.org

Decision evidence

public snapshot
AI called this Suspicious at 92.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/src/installers/superpowers.js` invokes Claude, Codex, and Gemini plugin/extension installation commands.
  • `dist/src/installers/agent-skills.js` clones repositories and invokes an external skills CLI to install agent skills, optionally globally.
  • `dist/src/state.js` defaults to multiple AI runtimes and agent-tool installers when the CLI is run.
Evidence against
  • `package.json` has only `prepare`; no preinstall/install/postinstall hook mutates agent configuration.
  • `dist/bin/agent-toolkit.js` only calls `runInstaller()` after an explicit CLI invocation.
  • `dist/src/main.js` shows interactive selection unless a user supplies noninteractive flags.
  • `dist/src/installers/agent-skills.js` checks out configured commit hashes and verifies the resulting Git HEAD.
  • `dist/src/system.js` implements bounded HTTP fetch/download helpers; no credential collection or exfiltration path was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 29 file(s), 157 KB of source, external domains: antigravity.google, api.github.com, docs.npmjs.com, github.com, pypi.org

Source & flagged code

6 flagged · loading source
dist/src/system.jsView file
1import { spawnSync } from "node:child_process"; L2: import { randomUUID } from "node:crypto";
High
Child Process

Package source references child process execution.

dist/src/system.jsView on unpkg · L1
35function escapeCmdArg(arg) { L36: // cmd.exe quoting in the cross-spawn style: double backslashes that precede L37: // a quote, double trailing backslashes, escape quotes, wrap in quotes.
High
Shell

Package source references shell execution.

dist/src/system.jsView on unpkg · L35
1import { spawnSync } from "node:child_process"; L2: import { randomUUID } from "node:crypto"; L3: import fs from "node:fs"; L4: import http, {} from "node:http"; L5: import https from "node:https"; ... L11: export function findCommand(command) { L12: const pathValue = process.env.PATH || ""; L13: const pathExt = process.platform === "win32"
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/system.jsView on unpkg · L1
matchType = previous_version_dangerous_delta matchedPackage = @ranimontagna/agent-toolkit@0.1.31 matchedIdentity = npm:[redacted]:0.1.31 similarity = 0.517 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/system.jsView on unpkg
setup-agent-toolkit.shView file
path = setup-agent-toolkit.sh kind = build_helper sizeBytes = 790 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

setup-agent-toolkit.shView on unpkg
skills/backend/fastify-best-practices/rules/testing.mdView file
82patternName = generic_password severity = medium line = 82 matchedText = password...23',
Medium
Secret Pattern

Hardcoded password in skills/backend/fastify-best-practices/rules/testing.md

skills/backend/fastify-best-practices/rules/testing.mdView on unpkg · L82

Findings

4 High5 Medium5 Low
HighChild Processdist/src/system.js
HighShelldist/src/system.js
HighSame File Env Network Executiondist/src/system.js
HighPrevious Version Dangerous Deltadist/src/system.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpersetup-agent-toolkit.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternskills/backend/fastify-best-practices/rules/testing.md
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings