registry  /  @sinm/kai  /  1.12.2

@sinm/kai@1.12.2

KAi — Multi-Agent Collaborative Chat

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `kai-cli start` and enables or invokes agent tools, MCP servers, browser search, or skill installation.
Impact
An agent session or configured MCP server can execute commands with the launching user's privileges; this is a dangerous capability but not covert package behavior.
Mechanism
User-invoked AI-agent command execution and package-owned skill management.
Rationale
The package is not malicious by static source evidence, but it deliberately provides high-impact AI-agent execution primitives without a per-command confirmation boundary visible in the bundled source. Flag as a warning for dangerous capability rather than block it.
Evidence
package.jsonbin/kai-cli.jsdist-cli/kai-cli.jsdist-electron/renderer/assets/cytoscape.esm-D6E6cAed.js.gz
Network endpoints2
api.github.comraw.githubusercontent.com

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist-cli/kai-cli.js` exposes an AI-callable shell tool that runs arbitrary commands via the user's shell.
  • `dist-cli/kai-cli.js` starts configured MCP command servers with inherited environment variables.
  • `dist-cli/kai-cli.js` provides PTY and agent-browser execution capabilities.
  • `dist-cli/kai-cli.js` can download and install skill packages into its own `.kai` data area.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or other lifecycle scripts.
  • `bin/kai-cli.js` only validates bundled renderer files, then loads the CLI entrypoint.
  • The HTTP server and remote-access token are started only by explicit `kai-cli start`.
  • Compressed renderer assets decode as ordinary JavaScript, not an opaque executable payload.
  • No source evidence of credential harvesting, hidden exfiltration, destructive install-time behavior, or foreign agent-config mutation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 54 file(s), 5.09 MB of source, external domains: 127.0.0.1, angular.io, api.github.com, chevrotain.io, en.wikibooks.org, en.wikipedia.org, github.com, jimmy.warting.se, langium.org, lodash.com, npms.io, openjsf.org, raw.githubusercontent.com, react.dev, tex.stackexchange.com, underscorejs.org, work.weixin.qq.com, www.apache.org, www.w3.org
Oversized source lightweight scan
dist-cli/kai-cli.js17.4 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsCryptoHighEntropyStringsUrlStrings127.0.0.1angular.ioapi.github.comgithub.comjimmy.warting.selodash.comnpms.ioopenjsf.orgraw.githubusercontent.comunderscorejs.orgwork.weixin.qq.comwww.apache.org
dist-electron/renderer/assets/index-Bb_KacN-.js5.09 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringsreact.dev

Source & flagged code

5 flagged · loading source
bin/kai-cli.jsView file
8L9: const { existsSync } = require('fs') L10: const { resolve, dirname } = require('path')
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/kai-cli.jsView on unpkg · L8
dist-electron/renderer/assets/cytoscape.esm-D6E6cAed.js.gzView file
path = dist-[redacted].esm-D6E6cAed.js.gz kind = high_entropy_blob sizeBytes = 202188 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist-electron/renderer/assets/cytoscape.esm-D6E6cAed.js.gzView on unpkg
path = dist-[redacted].esm-D6E6cAed.js.gz kind = compressed_blob sizeBytes = 202188 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist-electron/renderer/assets/cytoscape.esm-D6E6cAed.js.gzView on unpkg
dist-electron/renderer/assets/index-Bb_KacN-.jsView file
path = dist-electron/renderer/assets/index-Bb_KacN-.js kind = oversized_source_file sizeBytes = 5339805 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist-electron/renderer/assets/index-Bb_KacN-.jsView on unpkg
dist-cli/kai-cli.jsView file
path = dist-cli/kai-cli.js kind = oversized_cli_entrypoint sizeBytes = 18279025 magicHex = [redacted]
Medium
Oversized Cli Entrypoint

Package contains an oversized executable-looking CLI entrypoint.

dist-cli/kai-cli.jsView on unpkg

Findings

2 High6 Medium3 Low
HighShips High Entropy Blobdist-electron/renderer/assets/cytoscape.esm-D6E6cAed.js.gz
HighOversized Source Filedist-electron/renderer/assets/index-Bb_KacN-.js
MediumDynamic Requirebin/kai-cli.js
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobdist-electron/renderer/assets/cytoscape.esm-D6E6cAed.js.gz
MediumOversized Cli Entrypointdist-cli/kai-cli.js
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings