registry  /  @sinm/kai  /  1.12.8

@sinm/kai@1.12.8

KAi — Multi-Agent Collaborative Chat

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `kai-cli start` or configures/uses MCP and terminal features.
Impact
A user or authenticated remote client can invoke the package's high-privilege agent features; these are substantial dual-use capabilities rather than covert package behavior.
Mechanism
AI-agent runtime with HTTP, PTY, MCP-command, update, and skill-download capabilities.
Rationale
Source inspection finds a legitimate but high-privilege multi-agent runtime, not concrete malware. Downgrade to warn for dangerous dual-use remote/terminal/MCP capabilities.
Evidence
package.jsonbin/kai-cli.jsdist-cli/kai-cli.js
Network endpoints1
pansinm.com/kai/update

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist-cli/kai-cli.js` starts an HTTP server on `0.0.0.0` from the user-invoked CLI.
  • `dist-cli/kai-cli.js` provisions PTY sessions through `node-pty`, enabling interactive local command execution.
  • `dist-cli/kai-cli.js` spawns configured MCP commands with inherited environment variables.
  • `dist-cli/kai-cli.js` supports remote-access tokens and package update/skill-download network flows.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • `bin/kai-cli.js` only validates bundled renderer files then loads the CLI entrypoint.
  • No source evidence of harvesting `.ssh`, npm credentials, foreign agent configs, or stealth persistence.
  • The CLI generates/displays an access token before exposing its HTTP interface; no unconsented install-time action was found.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 54 file(s), 5.09 MB of source, external domains: 127.0.0.1, angular.io, api.github.com, chevrotain.io, en.wikibooks.org, en.wikipedia.org, github.com, jimmy.warting.se, langium.org, lodash.com, npms.io, openjsf.org, raw.githubusercontent.com, react.dev, tex.stackexchange.com, underscorejs.org, work.weixin.qq.com, www.apache.org, www.w3.org
Oversized source lightweight scan
dist-cli/kai-cli.js17.7 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsHighEntropyStringsUrlStrings127.0.0.1angular.ioapi.github.comgithub.comjimmy.warting.selodash.comnpms.ioopenjsf.orgraw.githubusercontent.comunderscorejs.orgwork.weixin.qq.comwww.apache.org
dist-electron/renderer/assets/index-CvNq2hZf.js5.38 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringsgithub.comreact.dev

Source & flagged code

5 flagged · loading source
bin/kai-cli.jsView file
8L9: const { existsSync } = require('fs') L10: const { resolve, dirname } = require('path')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/kai-cli.jsView on unpkg · L8
dist-electron/renderer/assets/diagram-MMDJMWI5-CQyMbB4C.js.gzView file
path = dist-[redacted]-MMDJMWI5-CQyMbB4C.js.gz kind = compressed_blob sizeBytes = 3129 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist-electron/renderer/assets/diagram-MMDJMWI5-CQyMbB4C.js.gzView on unpkg
dist-electron/renderer/assets/chunk-OYMX7WX6-89Cfdes5.js.gzView file
path = dist-electron/renderer/assets/chunk-OYMX7WX6-89Cfdes5.js.gz kind = high_entropy_blob sizeBytes = 16551 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist-electron/renderer/assets/chunk-OYMX7WX6-89Cfdes5.js.gzView on unpkg
dist-electron/renderer/assets/index-CvNq2hZf.jsView file
path = dist-electron/renderer/assets/index-CvNq2hZf.js kind = oversized_source_file sizeBytes = 5637683 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist-electron/renderer/assets/index-CvNq2hZf.jsView on unpkg
dist-cli/kai-cli.jsView file
path = dist-cli/kai-cli.js kind = oversized_cli_entrypoint sizeBytes = 18611143 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist-cli/kai-cli.jsView on unpkg

Findings

2 High6 Medium3 Low
HighShips High Entropy Blobdist-electron/renderer/assets/chunk-OYMX7WX6-89Cfdes5.js.gz
HighOversized Source Filedist-electron/renderer/assets/index-CvNq2hZf.js
MediumDynamic Requirebin/kai-cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobdist-electron/renderer/assets/diagram-MMDJMWI5-CQyMbB4C.js.gz
MediumOversized Cli Entrypointdist-cli/kai-cli.js
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings