registry  /  @toolpack-sdk/agents  /  2.5.0

@toolpack-sdk/agents@2.5.0

Production AI agents for Toolpack SDK — 8 channel integrations (Slack, Discord, Telegram, SMS, Email, Webhook, Scheduled, MCP), AgentMind persistent cognitive layer (goals, beliefs, reflections), interceptors, evals, and multi-agent coordination

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Network and process capabilities are documented SDK features activated by consumer configuration and explicit method calls.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Consumer starts configured channels, registry search, scheduler, or HotReloadWatcher.
Impact
No unconsented install-time execution, exfiltration, or foreign control-surface mutation established.
Mechanism
Configured messaging integrations, npm registry search, and opt-in local TypeScript rebuilds.
Rationale
The scanner's claimed command-output exfiltration is not supported by source inspection: the sole child-process path is an explicit hot-reload compile command whose output is handled locally. The package contains expected, consumer-configured agent and channel functionality but no concrete malicious chain.
Evidence
package.jsondist/index.jsdist/index.d.tsdist/channels/index.jsdist/registry/index.jsREADME.md
Network endpoints5
slack.com/api/auth.testslack.com/api/chat.postMessageapi.telegram.orgdiscord.com/api/v10registry.npmjs.org

Decision evidence

public snapshot
AI called this Clean at 96.0% confidence as Benign with low false-positive risk.
Evidence for block
  • `dist/index.js` exposes an opt-in hot-reload watcher that runs `npx tsc --build` after watched source changes.
  • `dist/index.js` can call `process.exit(0)` through the explicitly invoked registry restart flow.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or other lifecycle hook.
  • `dist/index.js` imports `child_process` only for `HotReloadWatcher`'s documented TypeScript rebuild.
  • `dist/index.d.ts` requires caller-provided watch paths and restart callback before hot reload activates.
  • Network calls in `dist/channels/index.js` target configured Slack, Telegram, and Discord integrations.
  • `dist/registry/index.js` only queries the configurable npm registry search endpoint.
  • No credential harvesting, shell-output forwarding, eval/vm use, payload download, or stealth persistence was found.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 12 file(s), 430 KB of source, external domains: api.telegram.org, discord.com, registry.npmjs.org, slack.com

Source & flagged code

3 flagged · loading source
dist/index.jsView file
18L19: ${J}`:"")+F},P=`${this.name}-replica`,E=this.description,O=this.model}else S={...ue,name:`ephemeral-${I.name}-${Date.now()}`,systemPrompt:I.systemPrompt(_)+F},P=I.name,E=I.descript... L20: ... L31: L32: Is this answer sufficient? Reply with ONLY "yes" or "no".`,{workflow:{mode:"single-shot"}})).output.toLowerCase().trim().startsWith("yes")}async handlePendingAsk(e,t,n,r){return aw... L33:
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/index.jsView on unpkg · L18
31L32: Is this answer sufficient? Reply with ONLY "yes" or "no".`,{workflow:{mode:"single-shot"}})).output.toLowerCase().trim().startsWith("yes")}async handlePendingAsk(e,t,n,r){return aw... L33:
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L31
dist/index.cjsView file
18Trigger-reachable chain: manifest.main -> dist/index.cjs L18: L19: ${H}`:"")+U},E=`${this.name}-replica`,_=this.description,D=this.model}else S={...L.AGENT_MODE,name:`ephemeral-${b.name}-${Date.now()}`,systemPrompt:b.systemPrompt(T)+U},E=b.name,_=... L20: ... L31: L32: Is this answer sufficient? Reply with ONLY "yes" or "no".`,{workflow:{mode:"single-shot"}})).output.toLowerCase().trim().startsWith("yes")}async handlePendingAsk(e,t,n,r){return aw... L33:
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.cjsView on unpkg · L18

Findings

2 Critical1 High2 Medium4 Low
CriticalCommand Output Exfiltrationdist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.cjs
HighChild Processdist/index.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings