registry  /  @su-record/torya  /  0.1.1

@su-record/torya@0.1.1

Torya — model-first autonomous coding agent. The model decides intent/plan/verification-need; deterministic code only executes and scores.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User runs `torya`, invokes the Hermes plugin, or manually runs integrations/hermes/hermes-hook/apply.py.
Impact
Can modify project files and run shell commands in a chosen workspace; Hermes hook can alter a local Hermes agent install for progress streaming.
Mechanism
user-invoked AI agent workspace mutation and explicit Hermes hook setup
Rationale
Source inspection shows no lifecycle hook or unconsented install-time mutation, and the risky primitives are aligned with an AI coding-agent CLI and explicit Hermes integration. Because the package ships user-command agent control-surface mutation and broad model-driven shell/file capabilities, warn rather than block.
Evidence
package.jsondist/cli.jsdist/tools.jsdist/registry.jsdist/catalog.jsdist/provider.jsdist/knowledge.jsintegrations/hermes/hermes-hook/apply.pyintegrations/hermes/torya_plugin/__init__.pyworkspace-relative files via dist/tools.js~/.torya/models_dev.json~/.torya/knowledge.jsonl~/hermes-agent/agent/tool_executor.py~/hermes-agent/agent/tool_progress_bridge.py
Network endpoints2
models.dev/api.jsongenerativelanguage.googleapis.com/v1beta/models/

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • integrations/hermes/hermes-hook/apply.py explicitly patches a Hermes install's agent/tool_executor.py and copies tool_progress_bridge.py when user runs it.
  • integrations/hermes/torya_plugin/__init__.py registers a Hermes tool that shells out to `torya <goal> --cwd <ws> --json`.
  • dist/tools.js exposes write/edit/append/read/grep/glob/bash tools to model-driven builds inside the selected workspace.
  • dist/registry.js reads local provider credentials from ~/.torya, ~/.torydev, ~/.hermes, ~/.claude, ~/.codex and process.env.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks.
  • dist/cli.js only runs on explicit CLI invocation via bin `torya`.
  • dist/tools.js confines file operations to the resolved workspace path before writing or reading.
  • Network calls are package-aligned provider/catalog operations, not hidden exfiltration endpoints.
  • No obfuscated payloads, destructive install-time behavior, or persistence startup hooks found.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 27 file(s), 119 KB of source, external domains: generativelanguage.googleapis.com, github.com, models.dev

Source & flagged code

1 flagged · loading source
integrations/hermes/hermes-hook/tool_progress_bridge.pyView file
path = integrations/hermes/hermes-hook/tool_progress_bridge.py kind = build_helper sizeBytes = 2299 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

integrations/hermes/hermes-hook/tool_progress_bridge.pyView on unpkg

Findings

4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperintegrations/hermes/hermes-hook/tool_progress_bridge.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings