registry  /  @swarmdo/cli  /  1.45.0

@swarmdo/cli@1.45.0

⚠ Under review

Swarmdo CLI - Enterprise AI agent orchestration with 60+ specialized agents, swarm coordination, MCP server, self-learning hooks, and vector memory for Claude Code

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `swarmdo init` without `--no-global`.
Impact
The package can influence future Claude Code behavior on that machine until the added global guidance is removed.
Mechanism
Explicit CLI initialization writes Claude Code configuration and guidance.
Rationale
The package is not conclusively malicious, but its default explicit initialization mutates a global AI-agent instruction file. This warrants a warning under the firewall policy for explicit-user-command agent configuration mutation.
Evidence
package.jsonscripts/postinstall.cjsdist/src/commands/init.jsdist/src/init/executor.jsdist/src/commands/security.js<targetDir>/.claude/settings.json<targetDir>/.mcp.json<targetDir>/CLAUDE.md~/.claude/CLAUDE.md

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/src/commands/init.js` invokes initialization only for explicit `swarmdo init`.
  • `dist/src/init/executor.js` appends a Swarmdo instruction block to `~/.claude/CLAUDE.md` by default.
  • Init also creates project Claude configuration, helpers, hooks, MCP config, and agent assets.
  • `scripts/postinstall.cjs` mutates reachable `agentdb` dependency files during installation.
Evidence against
  • Postinstall only copies legacy `agentdb` directories; its exports augmentation function is not called.
  • No install-time network, shell execution, credential harvesting, or AI-agent config write was found.
  • Global Claude mutation has an explicit `--no-global` opt-out and is reached through a user CLI command.
  • The scanner's `eval` match is a security-scanner regex, not runtime dynamic execution.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 583 file(s), 7.82 MB of source, external domains: accounts.google.com, aistudio.google.com, api.anthropic.com, api.npmjs.org, api.openai.com, api.pinata.cloud, api.web3.storage, claude.com, cli.github.com, cloud.google.com, cloudflare-ipfs.com, datasets-server.huggingface.co, dweb.link, example.com, gateway.pinata.cloud, generativelanguage.googleapis.com, git-scm.com, github.com, html.duckduckgo.com, hub.docker.com, huggingface.co, ipfs.io, json.schemastore.org, no-such-registry-9c8c43.example.invalid, nodejs.org, oauth2.googleapis.com, ollama.com, openrouter.ai, pinata.cloud, raw.githubusercontent.com, registry.npmjs.org, sql.js.org, storage.googleapis.com, swarmdo.com, us-central1-swarmdo.cloudfunctions.net, w3s.link, web3.storage, www.apple.com

Source & flagged code

17 flagged · loading source
package.jsonView file
scripts.postinstall = node ./scripts/postinstall.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./scripts/postinstall.cjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/src/init/statusline-generator.jsView file
85const path = require('path'); L86: const { execSync } = require('child_process'); L87: const os = require('os');
High
Child Process

Package source references child process execution.

dist/src/init/statusline-generator.jsView on unpkg · L85
222? '"' + process.execPath + '" "' + cliBin + '" hooks statusline --json 2>/dev/null' L223: : 'npx --prefer-offline @swarmdo/cli hooks statusline --json 2>/dev/null'; L224: const raw = execSync( L225: cmd,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/src/init/statusline-generator.jsView on unpkg · L222
18* install with custom prefix, pnpm content-addressable layout, etc.). Walks up L19: * from this module's location until it finds a package.json whose name is L20: * `@swarmdo/cli`. Works in both the src tree (under tsx) and the compiled dist ... L32: try { L33: const pkg = JSON.parse(fs.readFileSync(candidate, 'utf-8')); L34: if (pkg.name === '@swarmdo/cli' && typeof pkg.version === 'string' && pkg.version.length > 0) { ... L85: const path = require('path'); L86: const { execSync } = require('child_process'); L87: const os = require('os'); ... L98: // SWARMDO_STATUSLINE_HIDE_COST 1/true/yes/on removes the segment entirely. L99: costSymbol: process.env.SWARMDO_STATUSLINE_COST_SYMBOL ?? '$', L100: hideCost: /^(1|true|yes|on)$/i.test(process.env.SWARMDO_STATUSLINE_HIDE_COST || ''),
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/src/init/statusline-generator.jsView on unpkg · L18
dist/src/init/executor.jsView file
254// Platform-specific command wrappers L255: // Windows: Use PowerShell-compatible commands L256: // Mac/Linux: Use bash-compatible commands with 2>/dev/null
High
Shell

Package source references shell execution.

dist/src/init/executor.jsView on unpkg · L254
272// Uses node -e with git rev-parse so hooks work regardless of CWD (#1259, #1284). L273: const gitRootResolver = "var c=require('child_process'),p=require('path'),u=require('url'),r;" L274: + "try{r=c.execSync('git rev-parse --show-toplevel',{encoding:'utf8'}).trim()}"
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/src/init/executor.jsView on unpkg · L272
dist/src/commands/security.jsView file
143const codePatterns = [ L144: { pattern: /eval\s*\(/g, type: 'Eval Usage', severity: 'medium', desc: 'eval() can execute arbitrary code' }, L145: { pattern: /innerHTML\s*=/g, type: 'innerHTML', severity: 'medium', desc: 'XSS risk with innerHTML' },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/src/commands/security.jsView on unpkg · L143
dist/src/benchmarks/gaia-tools/grounded_query.js#virtual:normalized:round1View file
49// 1. Environment variable (fastest path, used in test mocks and CI) L50: const envKey = process.env['GOOGLE_AI_API_KEY']; L51: if (envKey) ... L54: try { L55: const { execSync } = await import('node:child_process'); L56: const key = execSync('gcloud secrets versions access latest --secret=GOOGLE_AI_API_KEY --project=swarm-dev 2>/dev/null', { encoding: 'utf-8', timeout: 5_000 }).trim(); ... L62: } L63: throw new Error("grounded_query: No Google AI API key found.\nSet GOOGLE_AI_API_KEY env var, or ensure `gcloud` is authenticated and\nthe secret GOOGLE_AI_API_KEY exists in GCP pro... L64: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/src/benchmarks/gaia-tools/grounded_query.js#virtual:normalized:round1View on unpkg · L49
dist/src/memory/neural-package-bridge.jsView file
38package = @swarmdo/cli; repositoryIdentity = swarmdo; dependency = @swarmdo/neural L38: try { L39: const m = await import('@swarmdo/neural'); L40: const sys = m.createNeuralLearningSystem(mode);
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/src/memory/neural-package-bridge.jsView on unpkg · L38
vendor/rabitq-wasm/swarmvector_rabitq_wasm_bg.wasmView file
path = vendor/rabitq-wasm/swarmvector_rabitq_wasm_bg.wasm kind = wasm_module sizeBytes = 71343 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

vendor/rabitq-wasm/swarmvector_rabitq_wasm_bg.wasmView on unpkg
plugins/swarmdo-metaharness/scripts/smoke.shView file
path = plugins/swarmdo-metaharness/scripts/smoke.sh kind = build_helper sizeBytes = 124488 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

plugins/swarmdo-metaharness/scripts/smoke.shView on unpkg
.claude/skills/sdo-caveman-compress/scripts/benchmark.pyView file
path = .claude/skills/sdo-caveman-compress/scripts/benchmark.py kind = payload_in_excluded_dir sizeBytes = 2433 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.claude/skills/sdo-caveman-compress/scripts/benchmark.pyView on unpkg
dist/src/commands/release.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @swarmdo/cli@1.37.0 matchedIdentity = npm:QHN3YXJtZG8vY2xp:1.37.0 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/src/commands/release.jsView on unpkg
.claude/agents/sparc/refinement.mdView file
339patternName = generic_password severity = medium line = 339 matchedText = password...23!'
Medium
Secret Pattern

Hardcoded password in .claude/agents/sparc/refinement.md

.claude/agents/sparc/refinement.mdView on unpkg · L339
367patternName = generic_password severity = medium line = 367 matchedText = password...ord'
Medium
Secret Pattern

Hardcoded password in .claude/agents/sparc/refinement.md

.claude/agents/sparc/refinement.mdView on unpkg · L367
543patternName = generic_password severity = medium line = 543 matchedText = passwo...
Medium
Secret Pattern

Hardcoded password in .claude/agents/sparc/refinement.md

.claude/agents/sparc/refinement.mdView on unpkg · L543

Findings

1 Critical7 High11 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/src/commands/release.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/src/init/statusline-generator.js
HighShelldist/src/init/executor.js
HighSame File Env Network Executiondist/src/benchmarks/gaia-tools/grounded_query.js#virtual:normalized:round1
HighCopied Package Dependency Bridgedist/src/memory/neural-package-bridge.js
HighRuntime Package Installdist/src/init/statusline-generator.js
HighPayload In Excluded Dir.claude/skills/sdo-caveman-compress/scripts/benchmark.py
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/src/init/executor.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/src/init/statusline-generator.js
MediumShips Wasm Modulevendor/rabitq-wasm/swarmvector_rabitq_wasm_bg.wasm
MediumShips Build Helperplugins/swarmdo-metaharness/scripts/smoke.sh
MediumStructural Risk Force Deep Review
MediumSecret Pattern.claude/agents/sparc/refinement.md
MediumSecret Pattern.claude/agents/sparc/refinement.md
MediumSecret Pattern.claude/agents/sparc/refinement.md
LowScripts Present
LowEvaldist/src/commands/security.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings