registry  /  @seekrit/cli  /  0.16.0

@seekrit/cli@0.16.0

End-to-end encrypted secrets manager CLI — inject decrypted secrets into any command.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User explicitly runs `seekrit mcp` and connects an MCP client with valid Seekrit credentials.
Impact
A connected or prompt-influenced agent could execute commands with decrypted secrets or persist them to a chosen local file.
Mechanism
MCP-mediated command execution and decrypted-secret file export.
Rationale
The package is a secrets-manager CLI and its network, environment, and child-process behavior is largely product-aligned. However, the explicit MCP server exposes arbitrary local command execution and secret-file export to an AI-agent control surface, warranting a warning for dangerous dual-use capability.
Evidence
package.jsondist/index.jsdist/mcp-ARBuneH3.js~/.config/seekrit/config.jsonseekrit.json
Network endpoints1
api.seekrit.dev

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/mcp-ARBuneH3.js` exposes an MCP `run` tool that spawns caller-selected commands with decrypted secrets in the environment.
  • `dist/mcp-ARBuneH3.js` exposes a tool that writes decrypted secrets to a caller-selected file path.
  • `dist/index.js` activates the MCP server only through explicit `seekrit mcp`; it is not install- or import-time.
  • `dist/index.js` dynamically loads only its bundled `./mcp-ARBuneH3.js` for that command.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • `dist/index.js` uses `spawn(cmd,args)` for the explicit `seekrit run` command, not a hidden shell command.
  • Network requests use the configured Seekrit API base URL, defaulting to `https://api.seekrit.dev`.
  • No eval/vm/native loading, hidden downloader, foreign AI-agent config mutation, or unsolicited persistence was found.
  • The flagged secret-looking strings are token/credential handling logic, not embedded credential values.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 176 KB of source, external domains: api.seekrit.dev

Source & flagged code

3 flagged · loading source
dist/index.jsView file
1287patternName = private_key_openssh severity = critical line = 1287 matchedText = return `...\n`;
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/index.jsView on unpkg · L1287
1287patternName = private_key_openssh severity = critical line = 1287 matchedText = return `...\n`;
Critical
Secret Pattern

OpenSSH private key in dist/index.js

dist/index.jsView on unpkg · L1287
matchType = previous_version_dangerous_delta matchedPackage = @seekrit/cli@0.15.0 matchedIdentity = npm:QHNlZWtyaXQvY2xp:0.15.0 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

2 Critical1 High2 Medium5 Low
CriticalCritical Secretdist/index.js
CriticalSecret Patterndist/index.js
HighPrevious Version Dangerous Deltadist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License