registry  /  @tonyclaw/agent-inspector  /  2.0.41

@tonyclaw/agent-inspector@2.0.41

Agent observability and knowledge capture layer for AI coding tools.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The package mutates AI-agent control surfaces during npm install by installing onboarding skills into Codex/Claude homes. This is not merely a user-invoked CLI action because package.json postinstall invokes it automatically.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install or package postinstall on a host with ~/.codex or ~/.claude present
Impact
Adds AI-agent-readable skill/command files that can steer future Codex or Claude Code behavior toward Agent Inspector onboarding and MCP wiring.
Mechanism
unconsented lifecycle AI-agent skill installation
Policy narrative
On install, postinstall runs setup-agent-skills.mjs. If Codex or Claude homes exist, it spawns the bundled CLI onboard command, which writes generated skill/command files into those agents' control surfaces without an explicit user command, creating future agent instructions for connecting to Agent Inspector.
Rationale
Static inspection confirms automatic install-time writes to Codex/Claude skill locations, which is unconsented lifecycle AI-agent control-surface mutation even though the generated content is mostly package-aligned onboarding. No credential harvesting or external exfiltration was found, but this install-time behavior is sufficient to block. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/setup-agent-skills.mjssrc/cli/onboard.tssrc/cli/templates/codex-skill-onboard.tssrc/components/providers/ProviderForm.tsx~/.codex/skills/agent-inspector-onboard/SKILL.md~/.claude/skills/agent-inspector-onboard/SKILL.md~/.claude/commands/agent-inspector:onboard.md
Network endpoints2
localhost:25947/api/mcplocalhost:25947/proxy

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json runs postinstall: scripts/setup-windows-runtime.mjs && scripts/setup-agent-skills.mjs.
  • scripts/setup-agent-skills.mjs auto-runs .output/cli.js onboard --codex-only when ~/.codex exists.
  • src/cli/onboard.ts writes ~/.codex/skills/agent-inspector-onboard/SKILL.md via writeFileSync.
  • src/cli/onboard.ts also writes Claude skill/command files under selected skill dirs.
  • Lifecycle-triggered AI-agent skill/config-surface mutation is automatic unless opt-out env vars are set.
Evidence against
  • Generated Codex skill is package-aligned onboarding for local Agent Inspector MCP, not credential exfiltration.
  • Codex skill text explicitly says not to read auth/token files and to ask before editing config.toml.
  • Network URLs are expected provider/proxy endpoints for an AI traffic inspector.
  • ProviderForm.tsx only contains UI presets/model metadata handling; no attack behavior found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
WildcardDependency
scanned 213 file(s), 1.25 MB of source, external domains: 127.0.0.1, api-docs.deepseek.com, api.anthropic.com, api.deepseek.com, api.example.com, api.groq.com, api.minimaxi.com, api.openai.com, api.together.xyz, dashscope.aliyuncs.com, docs.bigmodel.cn, example.com, huggingface.co, nodejs.org, open.bigmodel.cn, opencode.ai, openrouter.ai, platform.minimaxi.com, www.w3.org

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/setup-windows-runtime.mjs && node scripts/setup-agent-skills.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/setup-windows-runtime.mjs && node scripts/setup-agent-skills.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
src/assets/agent-inspector.icoView file
path = src/assets/agent-inspector.ico kind = high_entropy_blob sizeBytes = 23504 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

src/assets/agent-inspector.icoView on unpkg
src/components/providers/ProviderForm.tsxView file
matchType = previous_version_dangerous_delta matchedPackage = @tonyclaw/agent-inspector@2.0.39 matchedIdentity = npm:[redacted]:2.0.39 similarity = 0.917 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

src/components/providers/ProviderForm.tsxView on unpkg

Findings

1 Critical2 High5 Medium6 Low
CriticalPrevious Version Dangerous Deltasrc/components/providers/ProviderForm.tsx
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobsrc/assets/agent-inspector.ico
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings