registry  /  @treeseed/agent  /  0.12.7

@treeseed/agent@0.12.7

Treeseed agent service runtime package.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
Explicit `treeseed-agents`/service runtime execution with configured provider and Codex environment variables.
Impact
Can modify an assigned repository worktree and create a configured Codex auth file.
Mechanism
Configured AI-agent orchestration with workspace-write and MCP tool dispatch.
Rationale
Source inspection found a real, high-impact AI-agent capability but no concrete malicious chain. Mark as a warning for dangerous runtime capability rather than block it.
Evidence
package.jsondist/scripts/prepare.jsdist/agents/adapters/execution-codex.jsdist/agents/adapters/codex-auth.jsdist/agents/tools/agent-tool-mcp-server.jsdist/provider/config.jsdist/scripts/treeseed-agents.jsdist/scripts/treeseed-agent-service.jsdist/agents/registry.jsdist/provider/client.js
Network endpoints1
api.treeseed.dev

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/agents/adapters/execution-codex.js` starts Codex with workspace-write capability and approved assignment-scoped MCP tools.
  • `dist/agents/adapters/codex-auth.js` can create `CODEX_HOME/auth.json` from explicitly supplied environment credentials.
  • `dist/provider/config.js` defaults provider management traffic to `https://api.treeseed.dev`.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall`; its `prepare` target `scripts/prepare.ts` is absent from the packed package.
  • CLI wrappers dispatch only fixed internal scripts after explicit user commands.
  • Codex workspace-write requests require a worktree and non-empty allowed paths.
  • Credential creation uses supplied `TREESEED_CODEX_AUTH_JSON` data and does not harvest existing credentials.
  • No source evidence of hidden exfiltration, destructive install behavior, remote payload download, or broad foreign agent-config mutation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
CopyleftLicense
scanned 147 file(s), 1005 KB of source, external domains: 127.0.0.1, api.github.com, api.treeseed.dev, backboard.railway.com, discord.com, example.com, example.invalid, example.test, github.com, platform.openai.com, study.local

Source & flagged code

2 flagged · loading source
dist/agents/registry.jsView file
79} L80: function resolveSelfContractImport(importPath) { L81: const relativeContractPath = SELF_CONTRACT_IMPORTS[importPath];
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/agents/registry.jsView on unpkg · L79
docker-entrypoint.shView file
path = docker-entrypoint.sh kind = build_helper sizeBytes = 498 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

docker-entrypoint.shView on unpkg

Findings

5 Medium6 Low
MediumDynamic Requiredist/agents/registry.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdocker-entrypoint.sh
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowCopyleft License