registry  /  @sofagent/audit  /  1.0.0

@sofagent/audit@1.0.0

sofagent 提交时审计——扫描 git diff,检查 Agent 是否遵守工作纪律

AI Security Review

scanned 10h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time execution or confirmed covert exfiltration is present. Explicit CLI initialization can create a project `.sofagent/config.yml` and replace a Git pre-commit hook; optional webhook delivery sends audit results to a user-configured endpoint.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `sofagent-audit --init`, `--install-hook`, or enables `--webhook`/`--webhook-url`.
Impact
A requested setup command can alter the current repository hook and configuration; configured webhooks can receive audit warning text.
Mechanism
User-invoked Git-hook setup and optional audit-result webhook POST.
Rationale
Source inspection does not support a malicious verdict, but explicit setup mutates a Git lifecycle hook and optional webhook reporting can export audit output. Treat as a transparent, user-invoked lifecycle-risk capability rather than malware.
Evidence
package.jsondist/index.jsdist/commands/init.jsdist/webhook.jsdist/verify/checks.jsdist/env-check.jsdist/rules/skill-safety-rules.jshooks/pre-commit.sofagent/config.yml.git/hooks/pre-commit

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/commands/init.js` writes `.git/hooks/pre-commit` when the user runs `--init`.
  • `dist/index.js` exposes explicit `--install-hook` and webhook options.
  • `dist/webhook.js` POSTs audit warning details to a user-supplied URL or `SOFAGENT_WEBHOOK_URL`.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
  • `dist/webhook.js` sends only when the user enables a webhook and supplies/configures its URL.
  • `dist/commands/init.js` runs only through explicit CLI initialization and writes project-local `.sofagent` plus Git hook paths.
  • `dist/env-check.js` and `dist/commands/doctor.js` use commands for environment/health checks, not payload execution.
  • `dist/rules/skill-safety-rules.js` contains detection regexes for `eval`/`Function`, not dynamic execution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 50 file(s), 271 KB of source, external domains: github.com, nodejs.org, registry.npmjs.org

Source & flagged code

4 flagged · loading source
dist/env-check.jsView file
6exports.checkEnv = checkEnv; L7: const child_process_1 = require("child_process"); L8: const fs_1 = require("fs");
High
Child Process

Package source references child process execution.

dist/env-check.jsView on unpkg · L6
dist/rules/skill-safety-rules.jsView file
36// === 危险调用 (SUSPICIOUS) === L37: { pattern: /eval\(.*[^0-9"'].*\)/, category: '危险调用', severity: 'SUSPICIOUS', description: 'eval() 非常量参数' }, L38: { pattern: /os\.system\(/, category: '危险调用', severity: 'SUSPICIOUS', description: 'os.system() 系统调用' },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/rules/skill-safety-rules.jsView on unpkg · L36
dist/verify/checks.jsView file
300// ao compose 健康检查 L301: const aoComposeOut = (0, utils_js_1.tryExec)('ao', ['compose', '--version']); L302: if (aoComposeOut) { ... L314: if (aoMajor === 0 && (aoMinor < 7 || (aoMinor === 7 && aoPatch < 5))) { L315: v.checkWarn(`ao 版本低于 0.7.5(当前 ${aoVer}),建议升级:npm install -g agency-orchestrator@0.7.5`); L316: }
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/verify/checks.jsView on unpkg · L300
dist/commands/doctor.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @sofagent/audit@0.99.8 matchedIdentity = npm:QHNvZmFnZW50L2F1ZGl0:0.99.8 similarity = 0.857 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/commands/doctor.jsView on unpkg

Findings

1 Critical2 High3 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/commands/doctor.js
HighChild Processdist/env-check.js
HighRuntime Package Installdist/verify/checks.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/rules/skill-safety-rules.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings