registry  /  @tyvm/knowhow  /  0.0.129

@tyvm/knowhow@0.0.129

ai cli with plugins and agents

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs the `knowhow` CLI, invokes `init`, or supplies `!`/`/!` input to the exec plugin.
Impact
A user or an agent granted command input can execute arbitrary local shell commands with that user's permissions.
Mechanism
User-gated agent shell execution and package-owned configuration/module setup.
Rationale
Source inspection found no install hook or covert exfiltration. The package nevertheless ships enabled, user/agent-triggered arbitrary shell execution and first-party agent configuration setup.
Evidence
package.jsonbin/knowhow.jssrc/cli.tssrc/config.tssrc/plugins/exec.tssrc/clients/xai.ts.knowhow/knowhow.json~/.knowhow/knowhow.json
Network endpoints2
api.x.ai/v1api.knowhow.tyvm.ai

Decision evidence

public snapshot
AI called this Suspicious at 87.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `src/plugins/exec.ts` runs shell commands via `execSync` when input begins `!` or `/!`.
  • `src/config.ts` enables the `exec` plugin by default and `init()` registers `@tyvm/knowhow-module-script` globally.
  • `src/cli.ts` runs `migrateConfig()` before CLI argument parsing and loads configured modules.
  • `src/clients/xai.ts` sends configured model requests using `XAI_API_KEY` to xAI.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
  • Shell execution is gated by explicit command-like input, not import or install.
  • Config writes target the package's `.knowhow` project/global configuration, not foreign agent files.
  • No source evidence of credential harvesting, covert exfiltration, remote payload download, or destructive behavior.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 659 file(s), 4.20 MB of source, external domains: api.cerebras.ai, api.deepseek.com, api.example.com, api.fireworks.ai, api.githubcopilot.com, api.groq.com, api.knowhow.tyvm.ai, api.llama.com, api.meta.ai, api.mistral.ai, api.openai.com, api.x.ai, app.asana.com, app.knowhow.run, asana.com, docs.docker.com, example.com, generativelanguage.googleapis.com, github.com, integrate.api.nvidia.com, invalid-api-url-that-does-not-exist.com, knowhow.tyvm.ai, mock.local, models.dev, models.github.ai, openrouter.ai, registry.npmjs.org, www.googleapis.com, www.youtube.com

Source & flagged code

13 flagged · loading source
bin/knowhow.jsView file
2L3: const { spawnSync } = require("node:child_process"); L4: const path = require("node:path");
High
Child Process

Package source references child process execution.

bin/knowhow.jsView on unpkg · L2
2L3: const { spawnSync } = require("node:child_process"); L4: const path = require("node:path");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/knowhow.jsView on unpkg · L2
tests/manual/browser-login/test_cli_integration.tsView file
24L25: const execAsync = promisify(exec); L26:
High
Shell

Package source references shell execution.

tests/manual/browser-login/test_cli_integration.tsView on unpkg · L24
src/hashes.tsView file
8try { L9: const hashes = JSON.parse(await readFile(".knowhow/.hashes.json", "utf8")); L10: return hashes as Hashes;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/hashes.tsView on unpkg · L8
ts_build/src/clients/xai.jsView file
14apiKey; L15: constructor(apiKey = process.env.XAI_API_KEY) { L16: this.apiKey = apiKey || ""; ... L18: apiKey: apiKey || process.env.XAI_API_KEY, L19: baseURL: "https://api.x.ai/v1", L20: }); ... L142: }, L143: body: JSON.stringify(body), L144: }); L145: if (!response.ok) { L146: const errorText = await response.text(); L147: throw new Error(`XAI Responses API error: ${response.status} ${errorText}`);
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

ts_build/src/clients/xai.jsView on unpkg · L14
14Trigger-reachable chain: manifest.main -> ts_build/src/index.js -> ts_build/src/clients/index.js -> ts_build/src/clients/xai.js L14: apiKey; L15: constructor(apiKey = process.env.XAI_API_KEY) { L16: this.apiKey = apiKey || ""; ... L18: apiKey: apiKey || process.env.XAI_API_KEY, L19: baseURL: "https://api.x.ai/v1", L20: }); ... L142: }, L143: body: JSON.stringify(body), L144: }); L145: if (!response.ok) { L146: const errorText = await response.text(); L147: throw new Error(`XAI Responses API error: ${response.status} ${errorText}`);
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

ts_build/src/clients/xai.jsView on unpkg · L14
tests/manual/ycmd/debug_diagnostics_test.tsView file
112try { L113: execSync(`npx tsc --noEmit ${testFile}`, { stdio: "pipe" }); L114: console.log("✅ TypeScript compiler found no errors");
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

tests/manual/ycmd/debug_diagnostics_test.tsView on unpkg · L112
tests/manual/ycmd/test_ycmd_usage.pyView file
path = tests/manual/ycmd/test_ycmd_usage.py kind = payload_in_excluded_dir sizeBytes = 853 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

tests/manual/ycmd/test_ycmd_usage.pyView on unpkg
path = tests/manual/ycmd/test_ycmd_usage.py kind = build_helper sizeBytes = 853 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

tests/manual/ycmd/test_ycmd_usage.pyView on unpkg
ts_build/tests/processors/TokenCompressor.test.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @tyvm/knowhow@0.0.127 matchedIdentity = npm:QHR5dm0va25vd2hvdw:0.0.127 similarity = 0.950 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

ts_build/tests/processors/TokenCompressor.test.jsView on unpkg
tests/unit/commands/github-credentials.test.tsView file
31patternName = generic_password severity = medium line = 31 matchedText = password...23",
Medium
Secret Pattern

Hardcoded password in tests/unit/commands/github-credentials.test.ts

tests/unit/commands/github-credentials.test.tsView on unpkg · L31
tests/fixtures/fake-secret.txtView file
1patternName = supabase_service_key severity = critical line = 1 matchedText = eyJhbGci..._USE
Critical
Secret Pattern

Supabase service role key (JWT) in tests/fixtures/fake-secret.txt

tests/fixtures/fake-secret.txtView on unpkg · L1
ts_build/tests/unit/commands/github-credentials.test.jsView file
19patternName = generic_password severity = medium line = 19 matchedText = password...23",
Medium
Secret Pattern

Hardcoded password in ts_build/tests/unit/commands/github-credentials.test.js

ts_build/tests/unit/commands/github-credentials.test.jsView on unpkg · L19

Findings

4 Critical4 High7 Medium7 Low
CriticalCredential Exfiltrationts_build/src/clients/xai.js
CriticalTrigger Reachable Dangerous Capabilityts_build/src/clients/xai.js
CriticalPrevious Version Dangerous Deltats_build/tests/processors/TokenCompressor.test.js
CriticalSecret Patterntests/fixtures/fake-secret.txt
HighChild Processbin/knowhow.js
HighShelltests/manual/browser-login/test_cli_integration.ts
HighRuntime Package Installtests/manual/ycmd/debug_diagnostics_test.ts
HighPayload In Excluded Dirtests/manual/ycmd/test_ycmd_usage.py
MediumDynamic Requirebin/knowhow.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpertests/manual/ycmd/test_ycmd_usage.py
MediumStructural Risk Force Deep Review
MediumSecret Patterntests/unit/commands/github-credentials.test.ts
MediumSecret Patternts_build/tests/unit/commands/github-credentials.test.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptosrc/hashes.ts
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings