registry  /  @tyvm/knowhow  /  0.0.127

@tyvm/knowhow@0.0.127

ai cli with plugins and agents

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is an AI CLI/agent tool with user-invoked network, shell, and file-write capabilities aligned with its stated purpose.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs knowhow CLI commands or configures agent/plugins.
Impact
Expected CLI/agent behavior; no install-time execution, credential harvesting, or covert exfiltration found.
Mechanism
User-invoked AI provider calls, shell commands, and file operations.
Rationale
Static inspection shows risky primitives, but they are package-aligned and user-invoked in an AI CLI; there is no lifecycle execution, covert credential collection, hidden payload, or unconsented agent control-surface mutation. The scanner's xAI credential finding is normal provider authorization to xAI endpoints.
Evidence
package.jsonbin/knowhow.jsts_build/src/cli.jsts_build/src/index.jssrc/clients/xai.tssrc/services/KnowhowClient.tssrc/config.tssrc/chat/modules/ShellCommandModule.tssrc/plugins/exec.tssrc/agents/tools/writeFile.tstests/manual/ycmd/test_ycmd_usage.py~/.knowhow/knowhow.json.knowhow/.knowhow/.jwt
Network endpoints3
api.x.ai/v1api.x.ai/v1/responsesapi.knowhow.tyvm.ai

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with medium false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/postinstall hook; prepublishOnly is publisher-side compile/check only.
    • bin/knowhow.js only re-execs ts_build/src/cli.js with --no-node-snapshot, forwarding user CLI args.
    • ts_build/src/cli.js registers commands after migrateConfig/getConfig; no import-time exfiltration or hidden payload execution seen.
    • src/clients/xai.ts sends user-requested model inputs to https://api.x.ai/v1 with XAI_API_KEY as provider auth, not arbitrary env harvesting.
    • Shell/file-write primitives in src/chat/modules/ShellCommandModule.ts, src/plugins/exec.ts, and src/agents/tools/writeFile.ts are explicit CLI/agent features.
    • tests/manual/ycmd/test_ycmd_usage.py is plain sample code; scanner payload flag appears to be file-type noise.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 640 file(s), 4.12 MB of source, external domains: api.cerebras.ai, api.deepseek.com, api.example.com, api.fireworks.ai, api.githubcopilot.com, api.groq.com, api.knowhow.tyvm.ai, api.llama.com, api.mistral.ai, api.openai.com, api.x.ai, app.asana.com, app.knowhow.run, asana.com, docs.docker.com, example.com, generativelanguage.googleapis.com, github.com, integrate.api.nvidia.com, invalid-api-url-that-does-not-exist.com, knowhow.tyvm.ai, mock.local, models.dev, models.github.ai, openrouter.ai, registry.npmjs.org, www.googleapis.com, www.youtube.com

    Source & flagged code

    12 flagged · loading source
    bin/knowhow.jsView file
    2L3: const { spawnSync } = require("node:child_process"); L4: const path = require("node:path");
    High
    Child Process

    Package source references child process execution.

    bin/knowhow.jsView on unpkg · L2
    2L3: const { spawnSync } = require("node:child_process"); L4: const path = require("node:path");
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    bin/knowhow.jsView on unpkg · L2
    tests/manual/browser-login/test_cli_integration.tsView file
    24L25: const execAsync = promisify(exec); L26:
    High
    Shell

    Package source references shell execution.

    tests/manual/browser-login/test_cli_integration.tsView on unpkg · L24
    src/hashes.tsView file
    8try { L9: const hashes = JSON.parse(await readFile(".knowhow/.hashes.json", "utf8")); L10: return hashes as Hashes;
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    src/hashes.tsView on unpkg · L8
    ts_build/src/clients/xai.jsView file
    14apiKey; L15: constructor(apiKey = process.env.XAI_API_KEY) { L16: this.apiKey = apiKey || ""; ... L18: apiKey: apiKey || process.env.XAI_API_KEY, L19: baseURL: "https://api.x.ai/v1", L20: }); ... L142: }, L143: body: JSON.stringify(body), L144: }); L145: if (!response.ok) { L146: const errorText = await response.text(); L147: throw new Error(`XAI Responses API error: ${response.status} ${errorText}`);
    Critical
    Credential Exfiltration

    Source appears to send environment or credential material to an external endpoint.

    ts_build/src/clients/xai.jsView on unpkg · L14
    14Trigger-reachable chain: manifest.main -> ts_build/src/index.js -> ts_build/src/clients/index.js -> ts_build/src/clients/xai.js L14: apiKey; L15: constructor(apiKey = process.env.XAI_API_KEY) { L16: this.apiKey = apiKey || ""; ... L18: apiKey: apiKey || process.env.XAI_API_KEY, L19: baseURL: "https://api.x.ai/v1", L20: }); ... L142: }, L143: body: JSON.stringify(body), L144: }); L145: if (!response.ok) { L146: const errorText = await response.text(); L147: throw new Error(`XAI Responses API error: ${response.status} ${errorText}`);
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    ts_build/src/clients/xai.jsView on unpkg · L14
    tests/manual/ycmd/debug_diagnostics_test.tsView file
    112try { L113: execSync(`npx tsc --noEmit ${testFile}`, { stdio: "pipe" }); L114: console.log("✅ TypeScript compiler found no errors");
    High
    Runtime Package Install

    Package source invokes a package manager install command at runtime.

    tests/manual/ycmd/debug_diagnostics_test.tsView on unpkg · L112
    tests/manual/ycmd/test_ycmd_usage.pyView file
    path = tests/manual/ycmd/test_ycmd_usage.py kind = payload_in_excluded_dir sizeBytes = 853 magicHex = [redacted]
    High
    Payload In Excluded Dir

    Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

    tests/manual/ycmd/test_ycmd_usage.pyView on unpkg
    path = tests/manual/ycmd/test_ycmd_usage.py kind = build_helper sizeBytes = 853 magicHex = [redacted]
    Medium
    Ships Build Helper

    Package ships non-JavaScript build or shell helper files.

    tests/manual/ycmd/test_ycmd_usage.pyView on unpkg
    tests/unit/commands/github-credentials.test.tsView file
    31patternName = generic_password severity = medium line = 31 matchedText = password...23",
    Medium
    Secret Pattern

    Hardcoded password in tests/unit/commands/github-credentials.test.ts

    tests/unit/commands/github-credentials.test.tsView on unpkg · L31
    tests/fixtures/fake-secret.txtView file
    1patternName = supabase_service_key severity = critical line = 1 matchedText = eyJhbGci..._USE
    Critical
    Secret Pattern

    Supabase service role key (JWT) in tests/fixtures/fake-secret.txt

    tests/fixtures/fake-secret.txtView on unpkg · L1
    ts_build/tests/unit/commands/github-credentials.test.jsView file
    19patternName = generic_password severity = medium line = 19 matchedText = password...23",
    Medium
    Secret Pattern

    Hardcoded password in ts_build/tests/unit/commands/github-credentials.test.js

    ts_build/tests/unit/commands/github-credentials.test.jsView on unpkg · L19

    Findings

    3 Critical4 High7 Medium7 Low
    CriticalCredential Exfiltrationts_build/src/clients/xai.js
    CriticalTrigger Reachable Dangerous Capabilityts_build/src/clients/xai.js
    CriticalSecret Patterntests/fixtures/fake-secret.txt
    HighChild Processbin/knowhow.js
    HighShelltests/manual/browser-login/test_cli_integration.ts
    HighRuntime Package Installtests/manual/ycmd/debug_diagnostics_test.ts
    HighPayload In Excluded Dirtests/manual/ycmd/test_ycmd_usage.py
    MediumDynamic Requirebin/knowhow.js
    MediumNetwork
    MediumEnvironment Vars
    MediumShips Build Helpertests/manual/ycmd/test_ycmd_usage.py
    MediumStructural Risk Force Deep Review
    MediumSecret Patterntests/unit/commands/github-credentials.test.ts
    MediumSecret Patternts_build/tests/unit/commands/github-credentials.test.js
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowWeak Cryptosrc/hashes.ts
    LowFilesystem
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings